djvu | eb73abcdf4dcaebcc64d9d472163134b2735b75d3a6e719191e2d85da0ac5877

Analysis

max time kernel
1200s
max time network
1121s
platform
windows7_x64
resource
win7-en-20210920
submitted
22-10-2021 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15af01dd6facad6b0f82e53a32f45d47.exe
Size

826KB
MD5

15af01dd6facad6b0f82e53a32f45d47
SHA1

1616ea7ab7951785d56c7e36caabf6da259e7a38
SHA256

eb73abcdf4dcaebcc64d9d472163134b2735b75d3a6e719191e2d85da0ac5877
SHA512

7217d9e791f936f84afec609690a7841557db6e9f3b83ff85d6cbc5faaa9e1d34f29c19bac8ff11d671317bb854c760ce73264853426e8296581aeae277a69f1

Score

10^/10

djvu vidar 517 discovery persistence ransomware stealer

Malware Config

Extracted

Path

C:\_readme.txt

Family

djvu

Ransom Note

ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-xl2bbDnZSN Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0338gSd743dEy1gd1zw5QaTuD9AdJnQXoohKZidIKAiW6h35Dxs

Emails

[email protected]

URLs

https://we.tl/t-xl2bbDnZSN

Extracted

Family

vidar

Version

41.5

Botnet

517

https://mas.to/@xeroxxx

Attributes

profile_id
517

Extracted

Family

djvu

http://rlrz.org/fhsgtsspen6

Signatures

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/576-56-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/576-55-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/268-57-0x00000000046D0000-0x00000000047EB000-memory.dmp	family_djvu
behavioral1/memory/576-59-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1612-66-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1612-74-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1104-195-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1056-241-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1056-243-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1228-86-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar
behavioral1/memory/1228-87-0x00000000004A18CD-mapping.dmp	family_vidar
behavioral1/memory/1724-91-0x00000000048B0000-0x0000000004986000-memory.dmp	family_vidar
behavioral1/memory/1228-92-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 46 IoCs

Processes:

build2.exebuild3.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe15af01dd6facad6b0f82e53a32f45d47.exe15af01dd6facad6b0f82e53a32f45d47.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe15af01dd6facad6b0f82e53a32f45d47.exe15af01dd6facad6b0f82e53a32f45d47.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
1724	build2.exe
1672	build3.exe
1228	build2.exe
2028	build3.exe
364	mstsca.exe
1408	mstsca.exe
2024	mstsca.exe
948	mstsca.exe
1836	mstsca.exe
1792	mstsca.exe
548	mstsca.exe
932	mstsca.exe
900	mstsca.exe
1320	mstsca.exe
1692	mstsca.exe
1624	mstsca.exe
1872	mstsca.exe
1780	mstsca.exe
1708	mstsca.exe
2036	mstsca.exe
1836	mstsca.exe
1244	mstsca.exe
1536	mstsca.exe
568	mstsca.exe
1188	mstsca.exe
2024	mstsca.exe
1600	15af01dd6facad6b0f82e53a32f45d47.exe
1104	15af01dd6facad6b0f82e53a32f45d47.exe
2040	mstsca.exe
1600	mstsca.exe
824	mstsca.exe
1496	mstsca.exe
896	mstsca.exe
1944	mstsca.exe
1336	mstsca.exe
1636	mstsca.exe
1672	mstsca.exe
2032	mstsca.exe
1580	15af01dd6facad6b0f82e53a32f45d47.exe
1056	15af01dd6facad6b0f82e53a32f45d47.exe
1752	mstsca.exe
956	mstsca.exe
1176	mstsca.exe
1608	mstsca.exe
1092	mstsca.exe
1632	mstsca.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

15af01dd6facad6b0f82e53a32f45d47.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ConnectSplit.raw => C:\Users\Admin\Pictures\ConnectSplit.raw.irjg	15af01dd6facad6b0f82e53a32f45d47.exe
File opened for modification	C:\Users\Admin\Pictures\MergeRename.tiff	15af01dd6facad6b0f82e53a32f45d47.exe
File renamed	C:\Users\Admin\Pictures\MergeRename.tiff => C:\Users\Admin\Pictures\MergeRename.tiff.irjg	15af01dd6facad6b0f82e53a32f45d47.exe
File renamed	C:\Users\Admin\Pictures\SubmitTrace.tif => C:\Users\Admin\Pictures\SubmitTrace.tif.irjg	15af01dd6facad6b0f82e53a32f45d47.exe

Loads dropped DLL 11 IoCs

Processes:

15af01dd6facad6b0f82e53a32f45d47.exeWerFault.exe

pid	process
1612	15af01dd6facad6b0f82e53a32f45d47.exe
1612	15af01dd6facad6b0f82e53a32f45d47.exe
1612	15af01dd6facad6b0f82e53a32f45d47.exe
1612	15af01dd6facad6b0f82e53a32f45d47.exe
1836	WerFault.exe
1836	WerFault.exe
1836	WerFault.exe
1836	WerFault.exe
1836	WerFault.exe
1836	WerFault.exe
1836	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1196 icacls.exe

pid	process
1196	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

15af01dd6facad6b0f82e53a32f45d47.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\79f96d12-9f7f-4f5c-86f8-f7f77def6d2f\\15af01dd6facad6b0f82e53a32f45d47.exe\" --AutoStart"	15af01dd6facad6b0f82e53a32f45d47.exe

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.2ip.ua
13 api.2ip.ua
38 api.2ip.ua
42 api.2ip.ua
4 api.2ip.ua

flow	ioc
5	api.2ip.ua
13	api.2ip.ua
38	api.2ip.ua
42	api.2ip.ua
4	api.2ip.ua

Suspicious use of SetThreadContext 25 IoCs

Processes:

15af01dd6facad6b0f82e53a32f45d47.exe15af01dd6facad6b0f82e53a32f45d47.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe15af01dd6facad6b0f82e53a32f45d47.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe15af01dd6facad6b0f82e53a32f45d47.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 268 set thread context of 576	268	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 1912 set thread context of 1612	1912	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 1724 set thread context of 1228	1724	build2.exe	build2.exe
PID 1672 set thread context of 2028	1672	build3.exe	build3.exe
PID 364 set thread context of 1408	364	mstsca.exe	mstsca.exe
PID 2024 set thread context of 948	2024	mstsca.exe	mstsca.exe
PID 1836 set thread context of 1792	1836	mstsca.exe	mstsca.exe
PID 548 set thread context of 932	548	mstsca.exe	mstsca.exe
PID 900 set thread context of 1320	900	mstsca.exe	mstsca.exe
PID 1692 set thread context of 1624	1692	mstsca.exe	mstsca.exe
PID 1872 set thread context of 1780	1872	mstsca.exe	mstsca.exe
PID 1708 set thread context of 2036	1708	mstsca.exe	mstsca.exe
PID 1836 set thread context of 1244	1836	mstsca.exe	mstsca.exe
PID 1536 set thread context of 568	1536	mstsca.exe	mstsca.exe
PID 1188 set thread context of 2024	1188	mstsca.exe	mstsca.exe
PID 1600 set thread context of 1104	1600	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 2040 set thread context of 1600	2040	mstsca.exe	mstsca.exe
PID 824 set thread context of 1496	824	mstsca.exe	mstsca.exe
PID 896 set thread context of 1944	896	mstsca.exe	mstsca.exe
PID 1336 set thread context of 1636	1336	mstsca.exe	mstsca.exe
PID 1672 set thread context of 2032	1672	mstsca.exe	mstsca.exe
PID 1580 set thread context of 1056	1580	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 1752 set thread context of 956	1752	mstsca.exe	mstsca.exe
PID 1176 set thread context of 1608	1176	mstsca.exe	mstsca.exe
PID 1092 set thread context of 1632	1092	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1836 1228 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1324 schtasks.exe
1012 schtasks.exe

pid	pid_target	process	target process
1836	1228	WerFault.exe	build2.exe

pid	process
1324	schtasks.exe
1012	schtasks.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

15af01dd6facad6b0f82e53a32f45d47.exe15af01dd6facad6b0f82e53a32f45d47.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	15af01dd6facad6b0f82e53a32f45d47.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	15af01dd6facad6b0f82e53a32f45d47.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	15af01dd6facad6b0f82e53a32f45d47.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	15af01dd6facad6b0f82e53a32f45d47.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	15af01dd6facad6b0f82e53a32f45d47.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

1164 NOTEPAD.EXE
1548 NOTEPAD.EXE

pid	process
1164	NOTEPAD.EXE
1548	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

15af01dd6facad6b0f82e53a32f45d47.exetaskmgr.exe15af01dd6facad6b0f82e53a32f45d47.exeWerFault.exe

pid	process
576	15af01dd6facad6b0f82e53a32f45d47.exe
576	15af01dd6facad6b0f82e53a32f45d47.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1612	15af01dd6facad6b0f82e53a32f45d47.exe
1612	15af01dd6facad6b0f82e53a32f45d47.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1836	WerFault.exe
1836	WerFault.exe
1836	WerFault.exe
1836	WerFault.exe
1836	WerFault.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

1212 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

taskmgr.exeWerFault.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1212	taskmgr.exe
Token: SeDebugPrivilege	1836	WerFault.exe
Token: 33	524	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	524	AUDIODG.EXE
Token: 33	524	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	524	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe
1212	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

15af01dd6facad6b0f82e53a32f45d47.exe15af01dd6facad6b0f82e53a32f45d47.exe15af01dd6facad6b0f82e53a32f45d47.exe15af01dd6facad6b0f82e53a32f45d47.exebuild2.exebuild3.exebuild3.exebuild2.exe

description	pid	process	target process
PID 268 wrote to memory of 576	268	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 268 wrote to memory of 576	268	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 268 wrote to memory of 576	268	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 268 wrote to memory of 576	268	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 268 wrote to memory of 576	268	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 268 wrote to memory of 576	268	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 268 wrote to memory of 576	268	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 268 wrote to memory of 576	268	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 268 wrote to memory of 576	268	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 268 wrote to memory of 576	268	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 268 wrote to memory of 576	268	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 576 wrote to memory of 1196	576	15af01dd6facad6b0f82e53a32f45d47.exe	icacls.exe
PID 576 wrote to memory of 1196	576	15af01dd6facad6b0f82e53a32f45d47.exe	icacls.exe
PID 576 wrote to memory of 1196	576	15af01dd6facad6b0f82e53a32f45d47.exe	icacls.exe
PID 576 wrote to memory of 1196	576	15af01dd6facad6b0f82e53a32f45d47.exe	icacls.exe
PID 576 wrote to memory of 1912	576	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 576 wrote to memory of 1912	576	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 576 wrote to memory of 1912	576	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 576 wrote to memory of 1912	576	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 1912 wrote to memory of 1612	1912	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 1912 wrote to memory of 1612	1912	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 1912 wrote to memory of 1612	1912	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 1912 wrote to memory of 1612	1912	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 1912 wrote to memory of 1612	1912	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 1912 wrote to memory of 1612	1912	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 1912 wrote to memory of 1612	1912	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 1912 wrote to memory of 1612	1912	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 1912 wrote to memory of 1612	1912	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 1912 wrote to memory of 1612	1912	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 1912 wrote to memory of 1612	1912	15af01dd6facad6b0f82e53a32f45d47.exe	15af01dd6facad6b0f82e53a32f45d47.exe
PID 1612 wrote to memory of 1724	1612	15af01dd6facad6b0f82e53a32f45d47.exe	build2.exe
PID 1612 wrote to memory of 1724	1612	15af01dd6facad6b0f82e53a32f45d47.exe	build2.exe
PID 1612 wrote to memory of 1724	1612	15af01dd6facad6b0f82e53a32f45d47.exe	build2.exe
PID 1612 wrote to memory of 1724	1612	15af01dd6facad6b0f82e53a32f45d47.exe	build2.exe
PID 1612 wrote to memory of 1672	1612	15af01dd6facad6b0f82e53a32f45d47.exe	build3.exe
PID 1612 wrote to memory of 1672	1612	15af01dd6facad6b0f82e53a32f45d47.exe	build3.exe
PID 1612 wrote to memory of 1672	1612	15af01dd6facad6b0f82e53a32f45d47.exe	build3.exe
PID 1612 wrote to memory of 1672	1612	15af01dd6facad6b0f82e53a32f45d47.exe	build3.exe
PID 1724 wrote to memory of 1228	1724	build2.exe	build2.exe
PID 1724 wrote to memory of 1228	1724	build2.exe	build2.exe
PID 1724 wrote to memory of 1228	1724	build2.exe	build2.exe
PID 1724 wrote to memory of 1228	1724	build2.exe	build2.exe
PID 1724 wrote to memory of 1228	1724	build2.exe	build2.exe
PID 1724 wrote to memory of 1228	1724	build2.exe	build2.exe
PID 1724 wrote to memory of 1228	1724	build2.exe	build2.exe
PID 1724 wrote to memory of 1228	1724	build2.exe	build2.exe
PID 1724 wrote to memory of 1228	1724	build2.exe	build2.exe
PID 1672 wrote to memory of 2028	1672	build3.exe	build3.exe
PID 1672 wrote to memory of 2028	1672	build3.exe	build3.exe
PID 1672 wrote to memory of 2028	1672	build3.exe	build3.exe
PID 1672 wrote to memory of 2028	1672	build3.exe	build3.exe
PID 1672 wrote to memory of 2028	1672	build3.exe	build3.exe
PID 1672 wrote to memory of 2028	1672	build3.exe	build3.exe
PID 1672 wrote to memory of 2028	1672	build3.exe	build3.exe
PID 1672 wrote to memory of 2028	1672	build3.exe	build3.exe
PID 1672 wrote to memory of 2028	1672	build3.exe	build3.exe
PID 1672 wrote to memory of 2028	1672	build3.exe	build3.exe
PID 2028 wrote to memory of 1324	2028	build3.exe	schtasks.exe
PID 2028 wrote to memory of 1324	2028	build3.exe	schtasks.exe
PID 2028 wrote to memory of 1324	2028	build3.exe	schtasks.exe
PID 2028 wrote to memory of 1324	2028	build3.exe	schtasks.exe
PID 1228 wrote to memory of 1836	1228	build2.exe	WerFault.exe
PID 1228 wrote to memory of 1836	1228	build2.exe	WerFault.exe
PID 1228 wrote to memory of 1836	1228	build2.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\15af01dd6facad6b0f82e53a32f45d47.exe
"C:\Users\Admin\AppData\Local\Temp\15af01dd6facad6b0f82e53a32f45d47.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:268

C:\Users\Admin\AppData\Local\Temp\15af01dd6facad6b0f82e53a32f45d47.exe
"C:\Users\Admin\AppData\Local\Temp\15af01dd6facad6b0f82e53a32f45d47.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\79f96d12-9f7f-4f5c-86f8-f7f77def6d2f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1196

C:\Users\Admin\AppData\Local\Temp\15af01dd6facad6b0f82e53a32f45d47.exe
"C:\Users\Admin\AppData\Local\Temp\15af01dd6facad6b0f82e53a32f45d47.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\15af01dd6facad6b0f82e53a32f45d47.exe
"C:\Users\Admin\AppData\Local\Temp\15af01dd6facad6b0f82e53a32f45d47.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Modifies extensions of user files
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build2.exe
"C:\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build2.exe
"C:\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build2.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 892
7⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build3.exe
"C:\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build3.exe
"C:\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:1324

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1212

C:\Windows\system32\taskeng.exe
taskeng.exe {841CFCF1-C798-4CD7-A41F-4E6A95A91AFE} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:1072

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:364

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1408

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- Creates scheduled task(s)
PID:1012

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2024

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:948

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1836

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1792

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:548

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:932

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:900

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1320

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1692

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1624

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1872

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1780

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1708

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2036

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1836

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1244

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1536

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:568

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1188

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2024

C:\Users\Admin\AppData\Local\79f96d12-9f7f-4f5c-86f8-f7f77def6d2f\15af01dd6facad6b0f82e53a32f45d47.exe
C:\Users\Admin\AppData\Local\79f96d12-9f7f-4f5c-86f8-f7f77def6d2f\15af01dd6facad6b0f82e53a32f45d47.exe --Task
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1600

C:\Users\Admin\AppData\Local\79f96d12-9f7f-4f5c-86f8-f7f77def6d2f\15af01dd6facad6b0f82e53a32f45d47.exe
C:\Users\Admin\AppData\Local\79f96d12-9f7f-4f5c-86f8-f7f77def6d2f\15af01dd6facad6b0f82e53a32f45d47.exe --Task
3⤵
- Executes dropped EXE
PID:1104

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2040

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1600

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:824

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1496

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:896

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1944

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1336

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1636

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1672

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2032

C:\Users\Admin\AppData\Local\79f96d12-9f7f-4f5c-86f8-f7f77def6d2f\15af01dd6facad6b0f82e53a32f45d47.exe
C:\Users\Admin\AppData\Local\79f96d12-9f7f-4f5c-86f8-f7f77def6d2f\15af01dd6facad6b0f82e53a32f45d47.exe --Task
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1580

C:\Users\Admin\AppData\Local\79f96d12-9f7f-4f5c-86f8-f7f77def6d2f\15af01dd6facad6b0f82e53a32f45d47.exe
C:\Users\Admin\AppData\Local\79f96d12-9f7f-4f5c-86f8-f7f77def6d2f\15af01dd6facad6b0f82e53a32f45d47.exe --Task
3⤵
- Executes dropped EXE
PID:1056

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1752

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:956

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1176

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1608

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1092

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1632

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1516

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x30c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\SystemID\PersonalID.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1164

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2032

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\_readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SystemID\PersonalID.txt
MD5
23a4f8eaa154fdfeffb6f1caf39b15b5

SHA1
2980355e50f46f60d1542f09cfdfac489d2c871e

SHA256
29d865a1de59d99103cb7da1c9da61a812fb655941a4be50b6d4fc0a9803f3c3

SHA512
3ff19ca2491989bc42c42871e2c28a202cccc1e9c44a6f6bcd1560e7a0304804c580f981ff111014958539dec828e259378b3d02d6ff9bc16c013c5688b9a7b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
50d9d5311b74576fbbb5c9f204fdc16b

SHA1
7dd97b713e33f287440441aa3bb7966a2cb68321

SHA256
d76a71e8dfd6961d4912a23b2fd207f2a93c67523dfcda252358eafa5821b2ad

SHA512
67d02ce79bb8fd641783ba12ab5587900a03416627939084ce87f22b42ca7d50765947e2238b3c6a70a74bce3c9233b486aaa10feb57e714646e4d02c0c926c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
8f19b97ffda28eb06efc2181fd126b9c

SHA1
142443021d6ffaf32d3d60635d0edf540a039f2e

SHA256
49607d1b931a79642c5268292b4f16f2db7ec77b53f8abddbc0cce36ed88e3f7

SHA512
6577704c531cc07d1ae8d61dfe6d8735d29d1386038fa9e3f5580c80c30dc04570ec0160f51903d05b180c4af68f0eb8e23e2106c3bb367afd32d033aae031e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
dc54036ea0c9d2027cafb1014258f4ba

SHA1
d7c032b1467258bf718a92a4be939bfc5922806a

SHA256
da16919e8e41c6e918aa9cdb2671582659ae0b0b5fb5418bd3219efef51b306e

SHA512
d49f070e297ba555e8cdab5dcbfa8a9611331bed74e9c3b1e3f1edc450fa6a82bb66e97531394773933234c19d7c79ef7f035724e145e4b99b4b4b5c3d178d2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
c4ac09696976c673e123632bed26f8ce

SHA1
b68774df722791e90bc7089d94dc7367fb34bacb

SHA256
af72b2b7aed08a01a0d293b8413ee73ce32700f046b6cbb75fe6ba1aaa6a9d20

SHA512
25c4a66f26088c3cc25d0a23b711b9a394a05b5e07af68006fbed88a8d08607b8459abc688582f4f7ec13958b73c5d20778ea856b2951760f69304516cece03e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
5b416b8e0d619911eee159c12830ecfe

SHA1
53509047703f6558af2afea8a786daaf09a1410f

SHA256
03e5228a969bec273246972b16c4398b68e4e5850954abdfdfa443e4e175f90f

SHA512
274ca059f0b2e4360d94f7dd377a147d51663a4dc23df3c9b8946cbf75ea41ff90696527f71d9e6c33c05b503fa37eb476e4aab8b311efcf92d22532b5418617

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
fca2028148dde6e27d66a613f1fd4086

SHA1
f25b58da3eaefadc26ddcdad400330c104bf8255

SHA256
c740bf7d18c478483c40e5a30fdfa7c2025fd84c81bdbdf8c1bac9fb3399e0ac

SHA512
13a95448583a02839d962ceb50ab7fff55b65c51c5fd37f3fb2e0fc38fef28944f55391b3c0e8d19f5bb166c99ae6f6ec22438f1d31fd508ad3fec7db24b0a97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
MD5
e06c63340ffb98bd7e4d54d37407c619

SHA1
7cfd80266cc6bcca61dd0fde4f6b012b0e3ebcab

SHA256
867d56640e393a82b4138a1fc759846b55c2c3ce7464d02f0b6fe25f40124ee2

SHA512
a8c85bd24b3ea7f3213588c6dc69e529136b1c6bf2ebae81784921319080eeab3213ab7b77df73caa2b8a7d7cafbd21247dfd3807cf7feb404d41230957244bc

Download Submit
C:\Users\Admin\AppData\Local\79f96d12-9f7f-4f5c-86f8-f7f77def6d2f\15af01dd6facad6b0f82e53a32f45d47.exe
MD5
15af01dd6facad6b0f82e53a32f45d47

SHA1
1616ea7ab7951785d56c7e36caabf6da259e7a38

SHA256
eb73abcdf4dcaebcc64d9d472163134b2735b75d3a6e719191e2d85da0ac5877

SHA512
7217d9e791f936f84afec609690a7841557db6e9f3b83ff85d6cbc5faaa9e1d34f29c19bac8ff11d671317bb854c760ce73264853426e8296581aeae277a69f1

Download Submit
C:\Users\Admin\AppData\Local\79f96d12-9f7f-4f5c-86f8-f7f77def6d2f\15af01dd6facad6b0f82e53a32f45d47.exe
MD5
15af01dd6facad6b0f82e53a32f45d47

SHA1
1616ea7ab7951785d56c7e36caabf6da259e7a38

SHA256
eb73abcdf4dcaebcc64d9d472163134b2735b75d3a6e719191e2d85da0ac5877

SHA512
7217d9e791f936f84afec609690a7841557db6e9f3b83ff85d6cbc5faaa9e1d34f29c19bac8ff11d671317bb854c760ce73264853426e8296581aeae277a69f1

Download Submit
C:\Users\Admin\AppData\Local\79f96d12-9f7f-4f5c-86f8-f7f77def6d2f\15af01dd6facad6b0f82e53a32f45d47.exe
MD5
15af01dd6facad6b0f82e53a32f45d47

SHA1
1616ea7ab7951785d56c7e36caabf6da259e7a38

SHA256
eb73abcdf4dcaebcc64d9d472163134b2735b75d3a6e719191e2d85da0ac5877

SHA512
7217d9e791f936f84afec609690a7841557db6e9f3b83ff85d6cbc5faaa9e1d34f29c19bac8ff11d671317bb854c760ce73264853426e8296581aeae277a69f1

Download Submit
C:\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
C:\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
C:\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
C:\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\_readme.txt
MD5
2a63846921cb9adaaf834e8591465b2e

SHA1
2ed108c72455d9b818ca1edb00d10e3e495666b4

SHA256
d5502934e97e2e141d5c8f8d5c110798cbb27a1e819c44d18f62a9a214ac4b03

SHA512
0c6f4d774fbefcdd2569bc8a9b0feb78f31f3269cfc04466580827d9abc5d8fa5079e1917ae996d386290ffd018151e5ca28848c2bff0592c6809efbc7706f30

Download Submit
\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
\Users\Admin\AppData\Local\c4cea26a-827a-4238-a4a3-4399fd862c61\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
memory/268-57-0x00000000046D0000-0x00000000047EB000-memory.dmp

Filesize
1.1MB

Download
memory/268-54-0x00000000045D0000-0x0000000004661000-memory.dmp

Filesize
580KB

Download
memory/364-110-0x0000000000000000-mapping.dmp

Download
memory/364-112-0x00000000033CD000-0x00000000033DE000-memory.dmp

Filesize
68KB

Download
memory/548-137-0x000000000342D000-0x000000000343E000-memory.dmp

Filesize
68KB

Download
memory/548-135-0x0000000000000000-mapping.dmp

Download
memory/568-181-0x0000000000401AFA-mapping.dmp

Download
memory/576-55-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/576-56-0x0000000000424141-mapping.dmp

Download
memory/576-58-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/576-59-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/824-210-0x0000000000000000-mapping.dmp

Download
memory/824-212-0x00000000033BD000-0x00000000033CE000-memory.dmp

Filesize
68KB

Download
memory/896-219-0x00000000036CD000-0x00000000036DE000-memory.dmp

Filesize
68KB

Download
memory/896-217-0x0000000000000000-mapping.dmp

Download
memory/900-144-0x000000000333D000-0x000000000334E000-memory.dmp

Filesize
68KB

Download
memory/900-142-0x0000000000000000-mapping.dmp

Download
memory/932-139-0x0000000000401AFA-mapping.dmp

Download
memory/948-122-0x0000000000401AFA-mapping.dmp

Download
memory/956-247-0x0000000000401AFA-mapping.dmp

Download
memory/1012-117-0x0000000000000000-mapping.dmp

Download
memory/1056-243-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1056-241-0x0000000000424141-mapping.dmp

Download
memory/1092-254-0x0000000000000000-mapping.dmp

Download
memory/1104-195-0x0000000000424141-mapping.dmp

Download
memory/1176-249-0x0000000000000000-mapping.dmp

Download
memory/1188-186-0x00000000033FD000-0x000000000340E000-memory.dmp

Filesize
68KB

Download
memory/1188-184-0x0000000000000000-mapping.dmp

Download
memory/1196-60-0x0000000000000000-mapping.dmp

Download
memory/1212-61-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp

Filesize
8KB

Download
memory/1228-86-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1228-87-0x00000000004A18CD-mapping.dmp

Download
memory/1228-92-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1244-174-0x0000000000401AFA-mapping.dmp

Download
memory/1320-146-0x0000000000401AFA-mapping.dmp

Download
memory/1324-97-0x0000000000000000-mapping.dmp

Download
memory/1336-226-0x00000000032ED000-0x00000000032FE000-memory.dmp

Filesize
68KB

Download
memory/1336-224-0x0000000000000000-mapping.dmp

Download
memory/1408-114-0x0000000000401AFA-mapping.dmp

Download
memory/1496-214-0x0000000000401AFA-mapping.dmp

Download
memory/1536-177-0x0000000000000000-mapping.dmp

Download
memory/1536-179-0x00000000033ED000-0x00000000033FE000-memory.dmp

Filesize
68KB

Download
memory/1580-238-0x0000000000000000-mapping.dmp

Download
memory/1600-191-0x0000000000000000-mapping.dmp

Download
memory/1600-193-0x0000000000300000-0x0000000000391000-memory.dmp

Filesize
580KB

Download
memory/1600-207-0x0000000000401AFA-mapping.dmp

Download
memory/1608-252-0x0000000000401AFA-mapping.dmp

Download
memory/1612-66-0x0000000000424141-mapping.dmp

Download
memory/1612-74-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1624-153-0x0000000000401AFA-mapping.dmp

Download
memory/1632-257-0x0000000000401AFA-mapping.dmp

Download
memory/1636-228-0x0000000000401AFA-mapping.dmp

Download
memory/1672-83-0x0000000000000000-mapping.dmp

Download
memory/1672-90-0x000000000342D000-0x000000000343E000-memory.dmp

Filesize
68KB

Download
memory/1672-98-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1672-231-0x0000000000000000-mapping.dmp

Download
memory/1692-149-0x0000000000000000-mapping.dmp

Download
memory/1692-151-0x00000000033ED000-0x00000000033FE000-memory.dmp

Filesize
68KB

Download
memory/1708-165-0x00000000002CD000-0x00000000002DE000-memory.dmp

Filesize
68KB

Download
memory/1708-163-0x0000000000000000-mapping.dmp

Download
memory/1724-79-0x000000000315D000-0x00000000031DA000-memory.dmp

Filesize
500KB

Download
memory/1724-91-0x00000000048B0000-0x0000000004986000-memory.dmp

Filesize
856KB

Download
memory/1724-77-0x0000000000000000-mapping.dmp

Download
memory/1752-244-0x0000000000000000-mapping.dmp

Download
memory/1780-160-0x0000000000401AFA-mapping.dmp

Download
memory/1792-129-0x0000000000401AFA-mapping.dmp

Download
memory/1836-172-0x00000000002ED000-0x00000000002FE000-memory.dmp

Filesize
68KB

Download
memory/1836-170-0x0000000000000000-mapping.dmp

Download
memory/1836-127-0x00000000002AD000-0x00000000002BE000-memory.dmp

Filesize
68KB

Download
memory/1836-100-0x0000000000000000-mapping.dmp

Download
memory/1836-108-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1836-125-0x0000000000000000-mapping.dmp

Download
memory/1872-156-0x0000000000000000-mapping.dmp

Download
memory/1872-158-0x000000000331D000-0x000000000332E000-memory.dmp

Filesize
68KB

Download
memory/1912-64-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/1912-63-0x0000000000000000-mapping.dmp

Download
memory/1944-221-0x0000000000401AFA-mapping.dmp

Download
memory/2024-188-0x0000000000401AFA-mapping.dmp

Download
memory/2024-120-0x00000000002CD000-0x00000000002DE000-memory.dmp

Filesize
68KB

Download
memory/2024-118-0x0000000000000000-mapping.dmp

Download
memory/2028-99-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2028-93-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2028-94-0x0000000000401AFA-mapping.dmp

Download
memory/2032-235-0x0000000000401AFA-mapping.dmp

Download
memory/2036-167-0x0000000000401AFA-mapping.dmp

Download
memory/2040-203-0x0000000000000000-mapping.dmp

Download
memory/2040-205-0x000000000331D000-0x000000000332E000-memory.dmp

Filesize
68KB

Download