dearcry | d3722c88f41e2a0a88ee0a6e696df83524662ea0ff5d30f441e05cdc4dbcf9cf

Analysis

max time kernel
141s
max time network
128s
platform
windows7_x64
resource
win7-en-20211208
submitted
19-01-2022 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e55ead3b8fd305d9a54f78c7b56741a.exe
Size

1.3MB
MD5

0e55ead3b8fd305d9a54f78c7b56741a
SHA1

f7b084e581a8dcea450c2652f8058d93797413c3
SHA256

2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
SHA512

5c3d58d1001dce6f2d23f33861e9c7fef766b7fe0a86972e9f1eeb70bfad970b02561da6b6d193cf24bc3c1aaf2a42a950fa6e5dff36386653b8aa725c9abaaa

Score

10^/10

dearcry persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Public\Desktop\readme.txt

Family

dearcry

Ransom Note

Your file has been encrypted! If you want to decrypt, please contact us. [email protected] or [email protected] And please send me the following hash! 638428e5021d4ae247b21acf9c0bf6f6

Emails

[email protected]

Signatures

DearCry
DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.
ransomware dearcry
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

0e55ead3b8fd305d9a54f78c7b56741a.exe

description	ioc	Process
File created	C:\Users\Admin\Pictures\SearchMove.png.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Users\Admin\Pictures\UndoNew.tif.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Users\Admin\Pictures\CheckpointOpen.png.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

0e55ead3b8fd305d9a54f78c7b56741a.exeExplorer.EXE

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.ini	Explorer.EXE
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\K819CMRP\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Explorer.EXE
File opened for modification	C:\Program Files\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\S3IV548V\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe

Drops file in Program Files directory 64 IoCs

Processes:

0e55ead3b8fd305d9a54f78c7b56741a.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\imjplm.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\OFFREL.DLL	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_sl.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libidummy_plugin.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\settings.js	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_kn.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\VSTAProject.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\THMBNAIL.PNG.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msador15.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME09.CSS.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\calendar.css	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Java\jre7\bin\sunec.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_rest.png	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\alertIcon.png	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MAIN.XML.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.Design.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\gadget.xml	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_rest.png	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CONTACT.JPG.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGHEADING.XML	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\OutlookMUI.XML.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_nl.dll.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue.css.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Resources.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OLMAPI32.DLL	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe.config	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_mr.dll.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Text.zip	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)grayStateIcon.png	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File created	C:\Program Files\Java\jre7\bin\server\Xusage.txt.CRYPT	0e55ead3b8fd305d9a54f78c7b56741a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRLEX.DLL	0e55ead3b8fd305d9a54f78c7b56741a.exe

Drops file in Windows directory 2 IoCs

Processes:

Explorer.EXE

description	ioc	Process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	Explorer.EXE
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	Explorer.EXE

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
436	1376	WerFault.exe	16

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE

Modifies registry class 5 IoCs

Processes:

Explorer.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_Classes\Local Settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Explorer.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
1116	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid	Process
436	WerFault.exe
436	WerFault.exe
436	WerFault.exe
436	WerFault.exe
436	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid	Process
1624	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

WerFault.exeExplorer.EXE

description	pid	Process
Token: SeDebugPrivilege	436	WerFault.exe
Token: SeShutdownPrivilege	1624	Explorer.EXE
Token: SeShutdownPrivilege	1624	Explorer.EXE
Token: SeShutdownPrivilege	1624	Explorer.EXE
Token: SeShutdownPrivilege	1624	Explorer.EXE
Token: SeShutdownPrivilege	1624	Explorer.EXE
Token: SeShutdownPrivilege	1624	Explorer.EXE
Token: SeShutdownPrivilege	1624	Explorer.EXE
Token: SeShutdownPrivilege	1624	Explorer.EXE
Token: SeShutdownPrivilege	1624	Explorer.EXE
Token: SeShutdownPrivilege	1624	Explorer.EXE
Token: SeShutdownPrivilege	1624	Explorer.EXE

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

Explorer.EXE

pid	Process
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE

Suspicious use of SendNotifyMessage 29 IoCs

Processes:

Explorer.EXE

pid	Process
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE
1624	Explorer.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WerFault.exeExplorer.EXE

description	pid	Process	procid_target
PID 436 wrote to memory of 1624	436	WerFault.exe	32
PID 436 wrote to memory of 1624	436	WerFault.exe	32
PID 436 wrote to memory of 1624	436	WerFault.exe	32
PID 1624 wrote to memory of 1116	1624	Explorer.EXE	34
PID 1624 wrote to memory of 1116	1624	Explorer.EXE	34
PID 1624 wrote to memory of 1116	1624	Explorer.EXE	34

C:\Users\Admin\AppData\Local\Temp\0e55ead3b8fd305d9a54f78c7b56741a.exe
"C:\Users\Admin\AppData\Local\Temp\0e55ead3b8fd305d9a54f78c7b56741a.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:1460

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1376 -s 1108
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\Explorer.EXE
  "C:\Windows\Explorer.EXE"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db

MD5
4534f12102d235344cf8dda748f0cabf

SHA1
7db67baceeecb3a420bf37a7beca4a45185f8f3c

SHA256
1bd4db450abc8914c2fac721cace2704ff4c16028e6d07293154dad289835694

SHA512
7b4dacdbc6a2fccdd3818eb41b7fa23eeec51f333af0e842d9185c7ae45eba1623369b1caa27b824cba10c4cd6a2cdbf7f127ab2c6f7656eedce5fe25a0b84a2

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{4CCD719F-5037-4633-868D-4C99B593451C}.2.ver0x0000000000000001.db

MD5
fa9e85abb871124fe8983fee90d97eb2

SHA1
5297020d75de460732b3e2b8ae643cde1f3af9b1

SHA256
11b959df29b296dc658cb59f25033983972c4a617706f88bf8bee8d8afd347bf

SHA512
025a4fc5ad0028b946c42563cc32e10f43d43236967276d8bbc8aaa6f0d3ce2270bac3bd962c8b07fb2c5a52df9c9bf7f6d3c5b995cdd9747971549599021d43

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{4CCD719F-5037-4633-868D-4C99B593451C}.2.ver0x0000000000000001.db.CRYPT

MD5
affc07bf1088c46beb93d1e996599c04

SHA1
40819dc836ffdc11cc0178e8e5dccd59b68227d1

SHA256
7a1aede159409528a250ced6ef001918d781e5e4d883094fa0aeca2f92cdb71f

SHA512
59a11485d5b5cad303ee6eac2465a2736a6b5fa29ad964cdd82fcf97c114aabb2bc64f29075f0523819381aa60c673c88993965375061d3c6627f5d4cf1f8877

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000014.db

MD5
e7cec80fd060adc354790a609436b9c6

SHA1
96223c8fa75b5bf9df9d9ce85e40a53cc9730dc0

SHA256
9cf571206c6d0e6c756c178222db5a3c4e98b101a41b65c729d0f77aab7f4978

SHA512
16b50ba07b67a192844574afcc619e1c0a1bbe7f34e8e1013320397a73a2a3df508d632c99995c7cc9027205a3afed9a7a26c4ac47cb99d812bd349941bdc0f1

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000014.db.CRYPT

MD5
28f786ad32e6cebca5089cb788b0c558

SHA1
4f889c29be12457a8b80c49a6ec6c3f23fbc5b84

SHA256
920ff31647498fa67bfd7641d086897ee954bb0a841abf5da4fe5086c09e8e76

SHA512
fce6e8f501fb44a00fe10afecb7cc7f67fe5eb93f51e5b66aab1cba5d7feb5f753e35d9c2a2c3bec1d2855340475eaee4e6acf726c3ce6f2a21d31823a223f7c

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{C4B1DBC3-CE12-4C89-9306-D1A112DD8B07}.2.ver0x0000000000000001.db

MD5
0044dffe1459f6b6f9a54ee66995e171

SHA1
25aa485c441b0a72ee52783b8b91cd41d1c127d3

SHA256
ab728ed36db24993653ec18eae2da791bfe7aa3f3b358841a37bdbf8b6184d13

SHA512
2a7d53127b8e122d2e7b6710e9edb94e2bb81784f0764eeab69a494a3c79838bf2e49466387139c91eec39bd46aebf2896e1669e44eb99cbe87efebe8f48ce69

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{C4B1DBC3-CE12-4C89-9306-D1A112DD8B07}.2.ver0x0000000000000001.db.CRYPT

MD5
9fd759de80974297c7783fa24d57d667

SHA1
fd89a4219dddd994290704a17532d271b914599c

SHA256
15f93a47d066c322611315f9c26148406b68c6e973f48e32115b9110a224280b

SHA512
fbba1d41ca6d08b77658496f21c000b911d8bf4c1a86dc6e8fc347ff406a1df97b2e222313572e72818597d9e71754932424a9982ad63cad31bbf54f0254947c

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{D150E6A8-A86F-4871-968A-2FCA6A76C0C5}.2.ver0x0000000000000002.db

MD5
d846dfbc02378d2abc6f1bfe15fcbb41

SHA1
7c2258eeef30b2332f8078443aaad2dd03330450

SHA256
3982088d0f4ad78ba7e0c2d55a171c42a95541e18fa8caddba0a43931aace384

SHA512
ba96848d686625b8045312390a164bca810383f5018221fd05892e5905f624d4ce2b0f98283fc7ca74c0b2f6ab65071efce31e96a54a552fc14dd9ec69284a9e

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{D150E6A8-A86F-4871-968A-2FCA6A76C0C5}.2.ver0x0000000000000002.db.CRYPT

MD5
1594a2502e3de848dd30ab4311dfa7fe

SHA1
c016b06c4960a55728ebddae13b225288b4512de

SHA256
3784ec92dc42f32bfd7fcf0d26bdca9eded902d990ad771623103859f2288eeb

SHA512
fa5057076c34ad0307cf963b342f1b267901a5bff19dbcce8bb359a283ec3e5b54cf93ecaf1f718e3885d31de0680828f771433667acdd358dea4b0de035e7f1

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db

MD5
16b6897cdc08efcd08c869c4d0787450

SHA1
78c45aad234223c27d3f88169a4aa13d05ec1ee1

SHA256
8c5f0fbfa7f36a966f950fcba1fbd32ffaff1abf0e2cc70c2ddf12e9c915661a

SHA512
e2558371e2565428b498e56eb27a9f0ebd69883f3eb2e376b6170f939d6e933e685447ab7e201a3b6bf8df8f9125514df737306230593e2142a76f06070b8d99

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.CRYPT

MD5
4b6e3d7140190302f17e3db72872cb24

SHA1
c45b76392036810341d4b38c25fed0ca663b3e9a

SHA256
74c90c44db31fcdd310419501d6632f5af173cbebf142093f776cfca86f5455c

SHA512
7c2439aaad52283b9446bb214d50ef71cb752e3e4db3c03676c60418a9ef5d04d19eea14dc821e1dd06c9f72ad58658389d4c3b46d7dd472639f34c4a3c4d81c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db

MD5
c7c6abfa9cb508f7fc178d4045313a94

SHA1
4f130f23896bd6d0e95f2a42b2cb83d17ac8f1a2

SHA256
1bda9f0aed80857d43c9329457f28b1ca29f736a0c539901e1ba16a909eb07b4

SHA512
9f1c1e438b8cceda02663a61a64c1c5fc6fb6238aa92d30e6d8d1a7b0cb29a8a6f26b63b9964ad876617f71ee7dc3c05205158c4ed4be327149652b1c6900825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

MD5
e6065c4aa2ab1603008fc18410f579d4

SHA1
9a7dcfd9029de86dc088ee6ebbef48df90e7c6cd

SHA256
4e29ad18ab9f42d7c233500771a39d7c852b200baf328fd00fbbe3fecea1eb56

SHA512
1339d6533a0b875db3f1f607290f8de0e8f79172390faa03fe1ae15cb738b9c64828b08ed11721acc2909cc9394cc9cc115c9d7c9895cefa76f5146614961277

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db

MD5
c7c6abfa9cb508f7fc178d4045313a94

SHA1
4f130f23896bd6d0e95f2a42b2cb83d17ac8f1a2

SHA256
1bda9f0aed80857d43c9329457f28b1ca29f736a0c539901e1ba16a909eb07b4

SHA512
9f1c1e438b8cceda02663a61a64c1c5fc6fb6238aa92d30e6d8d1a7b0cb29a8a6f26b63b9964ad876617f71ee7dc3c05205158c4ed4be327149652b1c6900825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db

MD5
c7c6abfa9cb508f7fc178d4045313a94

SHA1
4f130f23896bd6d0e95f2a42b2cb83d17ac8f1a2

SHA256
1bda9f0aed80857d43c9329457f28b1ca29f736a0c539901e1ba16a909eb07b4

SHA512
9f1c1e438b8cceda02663a61a64c1c5fc6fb6238aa92d30e6d8d1a7b0cb29a8a6f26b63b9964ad876617f71ee7dc3c05205158c4ed4be327149652b1c6900825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5
2dafea080ffcb325eb4d72006fc7e326

SHA1
2f2bcad85ea810a8c841f306f66a4b1a1d37958e

SHA256
36ea2479b724407fc45fac24c4c98cb52eaf8bceda46e26b03762b3f72ced8e0

SHA512
a77058434277f88d068b3afd07caac2927bd05739a77eec972a314dbd97e2481331dc7730fe52f72427d46fe8fb6af7daa23a54ca00d5716b34f11935563089b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db

MD5
c7c6abfa9cb508f7fc178d4045313a94

SHA1
4f130f23896bd6d0e95f2a42b2cb83d17ac8f1a2

SHA256
1bda9f0aed80857d43c9329457f28b1ca29f736a0c539901e1ba16a909eb07b4

SHA512
9f1c1e438b8cceda02663a61a64c1c5fc6fb6238aa92d30e6d8d1a7b0cb29a8a6f26b63b9964ad876617f71ee7dc3c05205158c4ed4be327149652b1c6900825

Download Submit
C:\Users\Admin\Desktop\AssertTest.doc.CRYPT

MD5
475d94524d48db255f7581ce8486c6a2

SHA1
4d798f08c9246012370ce34dbe536d942daa5bbb

SHA256
fb5d4e243980d7a7dac4b4d6366e127a6f92d44077b4bdeb177c98df0bbe51e2

SHA512
f04813c8e655c2c7b0c9e740b3ce78cd9cd5b9a16a438c9c54c8aef2d20dc1891245f472bc9accacc0f926de11317d10b50ba57b8fa07c13991c5acc8a955fd3

Download Submit
C:\Users\Admin\Desktop\ConvertToGroup.ppt.CRYPT

MD5
fa3d4564ecf135c40d45901d204461e0

SHA1
d14aef6e8400f4feef9276b9ea0c0ef80dd94fb6

SHA256
2a93013c27886eb0b873eb0a2fdf2c8933fa06c6183028d35c82bf59503df388

SHA512
d51912481563a1eb81347abaf00a3627dc2ae3a44d67c109ce04b6cf97b8c1c360d8c3767e52c6ae9ffd4decf3d21bfa6ab255502da9e14b650980463a41efd4

Download Submit
C:\Users\Admin\Desktop\LimitImport.html.CRYPT

MD5
34afaa617f55d660cedb7020fe946094

SHA1
cbe9098cface411d7c136a53fe679a769145b696

SHA256
fec76299bacec12d67a0408b8b457f3df8a4967ff8c6724b9f15aa11dce413e0

SHA512
992c0bbf80d17e3a52fb7a4c0840054a9bcd72c49cafa4747c058edcdb62c8c62d32caa43a48ed0d53ccbe42de491196bcd5b61ce790f7c33380dd787188dc2f

Download Submit
C:\Users\Admin\Desktop\SaveBackup.7z.CRYPT

MD5
b5280c202f5f037ffe52e6486e56dea5

SHA1
ffd26161061c4e829f10306d2bc598d6dc06bf28

SHA256
a34350eca210cc1a7866d567208c3c1baa0211982a273b91ccc641802fcabce8

SHA512
341a163bbc11b9425a79436008d4fae3bcea188efe77bffe5c34ae3547d042cd20c24ca707cd301aa2b9751291124728b55e78fab310e8b925b61c841313a37a

Download Submit
C:\Users\Admin\Desktop\SelectExit.wps.CRYPT

MD5
9d606f4883ee4473fb7b3cd5bf902dce

SHA1
a98a1939df5eb3d927376e7000e140717803cf8a

SHA256
f35edaf09cb66b2cfa8a157561a0be5d0188ce6740c63dd9d21172e89b27d4c2

SHA512
8beff1dadcce47251c3f360e9441e0e08edcb91d403f06c829d3708334a7c9a3c3def4a4f4258c9bc2e007bb4f7c174e6b0825351fcc7b3d1a83c109c97e4c0c

Download Submit
C:\Users\Admin\Desktop\SyncClear.txt.CRYPT

MD5
1fd51aab808f9935e34f1cc02089fbfe

SHA1
8e06ff158ca24845ad1ca442cc3ee1eee552bcdd

SHA256
63d3040a0402761c229222427e4c1f2b4f24b7f2e47eae453248d8294e39c10f

SHA512
a06045181abccb5d23b6f0c7291430a361d86c7c4085c767e9a039a00e6616aee53832095856e9c0d56337ce17648e43b4534accc8e4169eb7958f01abebde27

Download Submit
C:\Users\Admin\Desktop\desktop.ini.CRYPT

MD5
a1d0cd50ead8e0094d466c572c9d0e9f

SHA1
e971d4c682e71484180121cd64fe59c932ec11c2

SHA256
6ba8e856aeb937776c1f88503fe169ff0934840a2b697e95dd31c513cfb4b650

SHA512
aa6ac7b066e6b0f43d72d1b1d0b893d539d28ed02b4eba837aee08ffde6c5c089131b6492e64762941816ce64fb12fbbe64300014cb106325ce82f49598c2d01

Download Submit
C:\Users\Admin\Desktop\readme.txt

MD5
dbac9649c4bd702f55fbd1afafe87c44

SHA1
0d914f4a809cfe400ca111ebfbd0ad552d500785

SHA256
b9dfa3b30224bd5eef298531c945d5f2f6bb978b7ef42e5ef09715a535172127

SHA512
86d7786b400303b1fb722689aba7e8ef6a01ad7e2776194c5d545a7d7357dd91e7079296790587210683db7f4385f98f281272fd3d1ad6770dabf401709a6415

Download Submit
C:\Users\Public\Desktop\desktop.ini.CRYPT

MD5
1525501d13e76d36fe608b49ea934ae0

SHA1
23ceaf9171cc75ac367e74d0eda1c4263e32bd22

SHA256
181f8cb92ffe855468694361d1d2b63159643a81667278fc0812b3055a8a6b98

SHA512
5eab82513b70abab46eb575f0f7d642968af5c259c5e01dd1a8fc5e5aa65eb45a718e979baf9253930a6fc3c74c95c7f052a48a71e31220d5c1cb3e4ab872ad8

Download Submit
C:\Users\Public\Desktop\readme.txt

MD5
dbac9649c4bd702f55fbd1afafe87c44

SHA1
0d914f4a809cfe400ca111ebfbd0ad552d500785

SHA256
b9dfa3b30224bd5eef298531c945d5f2f6bb978b7ef42e5ef09715a535172127

SHA512
86d7786b400303b1fb722689aba7e8ef6a01ad7e2776194c5d545a7d7357dd91e7079296790587210683db7f4385f98f281272fd3d1ad6770dabf401709a6415

Download Submit
memory/436-56-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/436-53-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

Filesize
8KB

Download
memory/1624-57-0x000007FEFAFC1000-0x000007FEFAFC3000-memory.dmp

Filesize
8KB

Download