chaos | 90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe
Size

957KB
MD5

0ba90c8d8c655ee822f19820c7641b6c
SHA1

94b09919d77c1760a003bcd3eee8745f79b5cd25
SHA256

90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67
SHA512

8c591016ea0edd78b00ad8cfcf6856e2f2902cbfd7208a3ca2367c0bcfbfdb89a473264d75f742706506e38e3edb0d42bfc627eb16191fe064464ce379c955f4
SSDEEP

24576:Y5pOT/MvD8Un1s2nZkFXfRMwpb645ADkMU:nFYnepM4br5hM

Score

10^/10

chaos revengerat evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Admin\Documents\OPEN_ME.txt

Ransom Note

----------National Office of Security Enforcement [N.O.O.S.E] Report---------- *Introduction: National Office of Security Enforcement [N.O.O.S.E] You were infected by a ransomware made by N.O.O.S.E No need to Google us, we only exist when we want to. *What happened? You are infected with the NOOSE ransomware. This version does have an antidot. Your unique ID is: NOOSEVariant2ID3754865400 *I want my data back: To get your data back, you need our decryption software. Which only N.O.O.S.E have. Our software is worth 1540 USD. *About the decryption software: To decrypt your files and data you'll need a private key. Without it, you can't have anything back. Our software uses your safely stored private key to decrypt your precious data. No other softwares can decrypt your data without the private key. *Payment currency: We only accept Monero XMR as a payment method. *Payment information: Price: 9.7 XMR Monero address: 476cVjnoiK2Ghv1JfFiSBchuKwfFrU9aD4uDCAYe4Sab13hy5cYTKSd7CuF4LZJ76ZcDDt1WZZvpdZDuzbgPBPVs3yBBJ32 *After the payment: -Send us a mail to malignant@tuta.io in the correct following format: -Subject: [Your country name] Device/user name (Example: [USA] John Doe) -My unique ID: [Your unique ID]. -Transaction ID: [Transaction ID] and an attached screenshot of the payment. *Verification and confirmation: Once we verify and confirm your payment, we recognize your device and send you the decryption software. *Important notes: -We might give you a discount if you contact us within 24 hours. -Due to our busy emails, we may take up to 24 hours to respond. -All of our clients got their data back after the payment. -Failure to write in the correct form will get your mail ignored. -Any attempt to fake a transaction ID or screenshot will lead to a permanent loss of data.

Emails

malignant@tuta.io

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\47936297.exe	family_chaos
C:\Users\Admin\AppData\Local\Temp\8262284.exe	family_chaos
behavioral2/memory/4052-401-0x0000000000CE0000-0x0000000000D32000-memory.dmp	family_chaos
behavioral2/memory/3160-403-0x0000000000F70000-0x0000000000FBC000-memory.dmp	family_chaos

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Detects command variations typically used by ransomware 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\47936297.exe	INDICATOR_SUSPICIOUS_GENRansomware
C:\Users\Admin\AppData\Local\Temp\8262284.exe	INDICATOR_SUSPICIOUS_GENRansomware
behavioral2/memory/4052-401-0x0000000000CE0000-0x0000000000D32000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
behavioral2/memory/3160-403-0x0000000000F70000-0x0000000000FBC000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3112 bcdedit.exe
2024 bcdedit.exe
Renames multiple (181) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

pid	process
3112	bcdedit.exe
2024	bcdedit.exe

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Win32NT.exe	revengerat

Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2972 wbadmin.exe

pid	process
2972	wbadmin.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8262284.exe47936297.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	8262284.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	47936297.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 12 IoCs

Processes:

svchost.exeInstallUtil.exevbc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPEN_ME.txt	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java.js.js	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	InstallUtil.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Script.vbs.vbs	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win32NT.ink.lnk	InstallUtil.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win32NT.ink.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java.js.js	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win32NT.exe	vbc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Script.vbs.vbs	svchost.exe

Executes dropped EXE 6 IoCs

Processes:

Win32NT.exe47936297.exe8262284.exesvchost.exesvchost.exeWin32NT.exe

pid process

3188 Win32NT.exe
4052 47936297.exe
3160 8262284.exe
3208 svchost.exe
3976 svchost.exe
380 Win32NT.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3188	Win32NT.exe
4052	47936297.exe
3160	8262284.exe
3208	svchost.exe
3976	svchost.exe
380	Win32NT.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

InstallUtil.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32NT = "C:\\Windows\\SysWOW64\\Win32NT.exe"	InstallUtil.exe

Drops desktop.ini file(s) 34 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	F:\FinalCancer\$RECYCLE.BIN\S-1-5-21-1497073144-2389943819-3385106915-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

InstallUtil.exeInstallUtil.exe

description ioc process

File created C:\Windows\SysWOW64\Win32NT.exe InstallUtil.exe
File created C:\Windows\SysWOW64\Win32NT.exe InstallUtil.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Win32NT.exe	InstallUtil.exe
File created	C:\Windows\SysWOW64\Win32NT.exe	InstallUtil.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4995c9l03.jpg"	svchost.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exeInstallUtil.exeWin32NT.exeInstallUtil.exeWin32NT.exeInstallUtil.exe

description	pid	process	target process
PID 4004 set thread context of 4860	4004	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 4860 set thread context of 2808	4860	InstallUtil.exe	InstallUtil.exe
PID 3188 set thread context of 4576	3188	Win32NT.exe	InstallUtil.exe
PID 4576 set thread context of 1604	4576	InstallUtil.exe	InstallUtil.exe
PID 380 set thread context of 4012	380	Win32NT.exe	InstallUtil.exe
PID 4012 set thread context of 4504	4012	InstallUtil.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5072 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4444 vssadmin.exe
Modifies registry class 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings svchost.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4188 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

svchost.exe

pid process

3208 svchost.exe

pid	process
5072	schtasks.exe

pid	process
4444	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	svchost.exe

pid	process
4188	NOTEPAD.EXE

pid	process
3208	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

47936297.exe8262284.exesvchost.exesvchost.exe

pid	process
4052	47936297.exe
4052	47936297.exe
4052	47936297.exe
3160	8262284.exe
3160	8262284.exe
3160	8262284.exe
4052	47936297.exe
4052	47936297.exe
3160	8262284.exe
3160	8262284.exe
4052	47936297.exe
4052	47936297.exe
4052	47936297.exe
4052	47936297.exe
4052	47936297.exe
4052	47936297.exe
4052	47936297.exe
4052	47936297.exe
3160	8262284.exe
3160	8262284.exe
3160	8262284.exe
3160	8262284.exe
3160	8262284.exe
3160	8262284.exe
3160	8262284.exe
3160	8262284.exe
4052	47936297.exe
4052	47936297.exe
3160	8262284.exe
3160	8262284.exe
4052	47936297.exe
4052	47936297.exe
4052	47936297.exe
4052	47936297.exe
4052	47936297.exe
4052	47936297.exe
3160	8262284.exe
3160	8262284.exe
3160	8262284.exe
3160	8262284.exe
3160	8262284.exe
3160	8262284.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3976	svchost.exe
3976	svchost.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exeInstallUtil.exeWin32NT.exeInstallUtil.exe47936297.exe8262284.exesvchost.exesvchost.exevssvc.exeWMIC.exewbengine.exeWin32NT.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	4004	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe
Token: SeDebugPrivilege	4860	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	4860	InstallUtil.exe
Token: SeDebugPrivilege	3188	Win32NT.exe
Token: SeDebugPrivilege	4576	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	4576	InstallUtil.exe
Token: SeDebugPrivilege	4052	47936297.exe
Token: SeDebugPrivilege	3160	8262284.exe
Token: SeDebugPrivilege	3208	svchost.exe
Token: SeDebugPrivilege	3976	svchost.exe
Token: SeBackupPrivilege	632	vssvc.exe
Token: SeRestorePrivilege	632	vssvc.exe
Token: SeAuditPrivilege	632	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3568	WMIC.exe
Token: SeSecurityPrivilege	3568	WMIC.exe
Token: SeTakeOwnershipPrivilege	3568	WMIC.exe
Token: SeLoadDriverPrivilege	3568	WMIC.exe
Token: SeSystemProfilePrivilege	3568	WMIC.exe
Token: SeSystemtimePrivilege	3568	WMIC.exe
Token: SeProfSingleProcessPrivilege	3568	WMIC.exe
Token: SeIncBasePriorityPrivilege	3568	WMIC.exe
Token: SeCreatePagefilePrivilege	3568	WMIC.exe
Token: SeBackupPrivilege	3568	WMIC.exe
Token: SeRestorePrivilege	3568	WMIC.exe
Token: SeShutdownPrivilege	3568	WMIC.exe
Token: SeDebugPrivilege	3568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3568	WMIC.exe
Token: SeRemoteShutdownPrivilege	3568	WMIC.exe
Token: SeUndockPrivilege	3568	WMIC.exe
Token: SeManageVolumePrivilege	3568	WMIC.exe
Token: 33	3568	WMIC.exe
Token: 34	3568	WMIC.exe
Token: 35	3568	WMIC.exe
Token: 36	3568	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3568	WMIC.exe
Token: SeSecurityPrivilege	3568	WMIC.exe
Token: SeTakeOwnershipPrivilege	3568	WMIC.exe
Token: SeLoadDriverPrivilege	3568	WMIC.exe
Token: SeSystemProfilePrivilege	3568	WMIC.exe
Token: SeSystemtimePrivilege	3568	WMIC.exe
Token: SeProfSingleProcessPrivilege	3568	WMIC.exe
Token: SeIncBasePriorityPrivilege	3568	WMIC.exe
Token: SeCreatePagefilePrivilege	3568	WMIC.exe
Token: SeBackupPrivilege	3568	WMIC.exe
Token: SeRestorePrivilege	3568	WMIC.exe
Token: SeShutdownPrivilege	3568	WMIC.exe
Token: SeDebugPrivilege	3568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3568	WMIC.exe
Token: SeRemoteShutdownPrivilege	3568	WMIC.exe
Token: SeUndockPrivilege	3568	WMIC.exe
Token: SeManageVolumePrivilege	3568	WMIC.exe
Token: 33	3568	WMIC.exe
Token: 34	3568	WMIC.exe
Token: 35	3568	WMIC.exe
Token: 36	3568	WMIC.exe
Token: SeBackupPrivilege	4540	wbengine.exe
Token: SeRestorePrivilege	4540	wbengine.exe
Token: SeSecurityPrivilege	4540	wbengine.exe
Token: SeDebugPrivilege	380	Win32NT.exe
Token: SeDebugPrivilege	4012	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	4012	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exeInstallUtil.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 4004 wrote to memory of 4860	4004	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 4004 wrote to memory of 4860	4004	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 4004 wrote to memory of 4860	4004	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 4004 wrote to memory of 4860	4004	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 4004 wrote to memory of 4860	4004	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 4004 wrote to memory of 4860	4004	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 4004 wrote to memory of 4860	4004	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 4004 wrote to memory of 4860	4004	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 4004 wrote to memory of 4860	4004	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 4860 wrote to memory of 2808	4860	InstallUtil.exe	InstallUtil.exe
PID 4860 wrote to memory of 2808	4860	InstallUtil.exe	InstallUtil.exe
PID 4860 wrote to memory of 2808	4860	InstallUtil.exe	InstallUtil.exe
PID 4860 wrote to memory of 2808	4860	InstallUtil.exe	InstallUtil.exe
PID 4860 wrote to memory of 2808	4860	InstallUtil.exe	InstallUtil.exe
PID 4860 wrote to memory of 2808	4860	InstallUtil.exe	InstallUtil.exe
PID 4860 wrote to memory of 2808	4860	InstallUtil.exe	InstallUtil.exe
PID 4860 wrote to memory of 2808	4860	InstallUtil.exe	InstallUtil.exe
PID 4860 wrote to memory of 928	4860	InstallUtil.exe	vbc.exe
PID 4860 wrote to memory of 928	4860	InstallUtil.exe	vbc.exe
PID 4860 wrote to memory of 928	4860	InstallUtil.exe	vbc.exe
PID 928 wrote to memory of 4540	928	vbc.exe	cvtres.exe
PID 928 wrote to memory of 4540	928	vbc.exe	cvtres.exe
PID 928 wrote to memory of 4540	928	vbc.exe	cvtres.exe
PID 4860 wrote to memory of 2676	4860	InstallUtil.exe	vbc.exe
PID 4860 wrote to memory of 2676	4860	InstallUtil.exe	vbc.exe
PID 4860 wrote to memory of 2676	4860	InstallUtil.exe	vbc.exe
PID 2676 wrote to memory of 2868	2676	vbc.exe	cvtres.exe
PID 2676 wrote to memory of 2868	2676	vbc.exe	cvtres.exe
PID 2676 wrote to memory of 2868	2676	vbc.exe	cvtres.exe
PID 4860 wrote to memory of 3296	4860	InstallUtil.exe	vbc.exe
PID 4860 wrote to memory of 3296	4860	InstallUtil.exe	vbc.exe
PID 4860 wrote to memory of 3296	4860	InstallUtil.exe	vbc.exe
PID 3296 wrote to memory of 1740	3296	vbc.exe	cvtres.exe
PID 3296 wrote to memory of 1740	3296	vbc.exe	cvtres.exe
PID 3296 wrote to memory of 1740	3296	vbc.exe	cvtres.exe
PID 4860 wrote to memory of 2812	4860	InstallUtil.exe	vbc.exe
PID 4860 wrote to memory of 2812	4860	InstallUtil.exe	vbc.exe
PID 4860 wrote to memory of 2812	4860	InstallUtil.exe	vbc.exe
PID 2812 wrote to memory of 2616	2812	vbc.exe	cvtres.exe
PID 2812 wrote to memory of 2616	2812	vbc.exe	cvtres.exe
PID 2812 wrote to memory of 2616	2812	vbc.exe	cvtres.exe
PID 4860 wrote to memory of 4052	4860	InstallUtil.exe	vbc.exe
PID 4860 wrote to memory of 4052	4860	InstallUtil.exe	vbc.exe
PID 4860 wrote to memory of 4052	4860	InstallUtil.exe	vbc.exe
PID 4052 wrote to memory of 3440	4052	vbc.exe	cvtres.exe
PID 4052 wrote to memory of 3440	4052	vbc.exe	cvtres.exe
PID 4052 wrote to memory of 3440	4052	vbc.exe	cvtres.exe
PID 4860 wrote to memory of 4616	4860	InstallUtil.exe	vbc.exe
PID 4860 wrote to memory of 4616	4860	InstallUtil.exe	vbc.exe
PID 4860 wrote to memory of 4616	4860	InstallUtil.exe	vbc.exe
PID 4616 wrote to memory of 3720	4616	vbc.exe	cvtres.exe
PID 4616 wrote to memory of 3720	4616	vbc.exe	cvtres.exe
PID 4616 wrote to memory of 3720	4616	vbc.exe	cvtres.exe
PID 4860 wrote to memory of 3284	4860	InstallUtil.exe	vbc.exe
PID 4860 wrote to memory of 3284	4860	InstallUtil.exe	vbc.exe
PID 4860 wrote to memory of 3284	4860	InstallUtil.exe	vbc.exe
PID 3284 wrote to memory of 728	3284	vbc.exe	cvtres.exe
PID 3284 wrote to memory of 728	3284	vbc.exe	cvtres.exe
PID 3284 wrote to memory of 728	3284	vbc.exe	cvtres.exe
PID 4860 wrote to memory of 4348	4860	InstallUtil.exe	vbc.exe
PID 4860 wrote to memory of 4348	4860	InstallUtil.exe	vbc.exe
PID 4860 wrote to memory of 4348	4860	InstallUtil.exe	vbc.exe
PID 4348 wrote to memory of 4408	4348	vbc.exe	cvtres.exe
PID 4348 wrote to memory of 4408	4348	vbc.exe	cvtres.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe
"C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lggdby1s\lggdby1s.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB853.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1CAD108A41B44CCEA1F6198775C32C.TMP"
4⤵
PID:4540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hq5kqbuh\hq5kqbuh.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8F0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1425AF5D7C244B7B7879283E512657.TMP"
4⤵
PID:2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4tb0qu4t\4tb0qu4t.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB97C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc54F0A262E924021AAC21A74BC785688.TMP"
4⤵
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ausivba1\ausivba1.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA09.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6EA413E61EDE4981B31F69A8C9710B9.TMP"
4⤵
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ujoxiyoi\ujoxiyoi.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA76.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc25F8D46273A84CA09560FBF9A3E39ADE.TMP"
4⤵
PID:3440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e0tsfwmq\e0tsfwmq.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAF3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9004429168E54F8E9C217FDA99966174.TMP"
4⤵
PID:3720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yxjjjyq5\yxjjjyq5.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB70.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc18DD6EF6B1834C44A8E2FCA6F9CA201C.TMP"
4⤵
PID:728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3cpjer4z\3cpjer4z.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC0C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc70B599A5141E44FB855FEB114B356B34.TMP"
4⤵
PID:4408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xh4lqrvs\xh4lqrvs.cmdline"
3⤵
PID:404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC89.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc927F33D813D24EEA8C285150976B4194.TMP"
4⤵
PID:644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\12khqy2i\12khqy2i.cmdline"
3⤵
PID:2372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD16.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE5187018BA9E48BFB8EB2BEF5A8073B4.TMP"
4⤵
PID:3776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zzmvxfcc\zzmvxfcc.cmdline"
3⤵
PID:3336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD83.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEE21628FB5534A549C396D9B3CAF28B.TMP"
4⤵
PID:4336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xjlouxzq\xjlouxzq.cmdline"
3⤵
PID:4504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBDF1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCD3EFCA8EB7C461B862C8FB4B6585FA9.TMP"
4⤵
PID:3152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xtsnxkbw\xtsnxkbw.cmdline"
3⤵
PID:3288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE7D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A75B5EC994C4FE2B04E2ABDA9854.TMP"
4⤵
PID:744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qojbi4rv\qojbi4rv.cmdline"
3⤵
PID:1112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBEFA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF6D45409D0A24572AB851E4E89D6A212.TMP"
4⤵
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qfkverg1\qfkverg1.cmdline"
3⤵
PID:5060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF77.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc29839A3DC9874A65A4F006E18601F53.TMP"
4⤵
PID:760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iskyktmb\iskyktmb.cmdline"
3⤵
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFF4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc618D73C230F1478A9153F4988228E4D0.TMP"
4⤵
PID:4920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4enxqqju\4enxqqju.cmdline"
3⤵
PID:3856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC071.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE4B297B28D29449FAC71DC85D5C85572.TMP"
4⤵
PID:3100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\afbv0zvb\afbv0zvb.cmdline"
3⤵
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC10E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8FEB85FCD91640568F5CECB59D3C8C97.TMP"
4⤵
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ker2v0hs\ker2v0hs.cmdline"
3⤵
PID:4980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC17B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA2842BB347E84BD3BD23E5E1FEF5FA35.TMP"
4⤵
PID:4708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sg0gfdmf\sg0gfdmf.cmdline"
3⤵
PID:3332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1E8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF3B4274B12464835BAFB1A744CA148.TMP"
4⤵
PID:4816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xholkj2d\xholkj2d.cmdline"
3⤵
PID:4352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC246.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD7F3A854E85F44CD98F046E93492CC3A.TMP"
4⤵
PID:3964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3uai515q\3uai515q.cmdline"
3⤵
PID:644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc771A5F69A4DC4A929E5D8292F4926C4.TMP"
4⤵
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ueqpzmbr\ueqpzmbr.cmdline"
3⤵
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC340.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc519A5AAC6FEE47E6A0EDEBDF61279590.TMP"
4⤵
PID:4736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z22t20ly\z22t20ly.cmdline"
3⤵
PID:2448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9955015B163B415AA1BE1FD4F771F4B.TMP"
4⤵
PID:3552

C:\Windows\SysWOW64\Win32NT.exe
"C:\Windows\system32\Win32NT.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
5⤵
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qe2pzxfo\qe2pzxfo.cmdline"
5⤵
- Drops startup file
PID:2592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES722D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1D4AB459923643FBB767119FFDDC44FB.TMP"
6⤵
PID:2812

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "explorer" /tr "C:\Windows\SysWOW64\Win32NT.exe"
5⤵
- Creates scheduled task(s)
PID:5072

C:\Users\Admin\AppData\Local\Temp\47936297.exe
"C:\Users\Admin\AppData\Local\Temp\47936297.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Users\Admin\AppData\Local\Temp\8262284.exe
"C:\Users\Admin\AppData\Local\Temp\8262284.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
6⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
7⤵
PID:4796

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
8⤵
- Interacts with shadow copies
PID:4444

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
7⤵
PID:2632

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
8⤵
- Modifies boot configuration data using bcdedit
PID:3112

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
8⤵
- Modifies boot configuration data using bcdedit
PID:2024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
7⤵
PID:3708

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
8⤵
- Deletes backup catalog
PID:2972

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\OPEN_ME.txt
7⤵
- Opens file in notepad (likely ransom note)
PID:4188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2v5t4j5u\2v5t4j5u.cmdline"
5⤵
PID:3920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACA6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc260495160C049A8A070FBB782171712.TMP"
6⤵
PID:2436

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2148

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3252

C:\Windows\SysWOW64\Win32NT.exe
C:\Windows\SysWOW64\Win32NT.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:4504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scripting

T1064

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Scripting

T1064

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FinalCancer\DumpStack.log.ico
Filesize
4KB

MD5
9430abf1376e53c0e5cf57b89725e992

SHA1
87d11177ee1baa392c6cca84cf4930074ad535c5

SHA256
21f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381

SHA512
dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78

Download Submit
C:\ProgramData\FinalCancer\vcredist2010_x64.log-MSI_vc_red.msi.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\FinalCancer\vcredist2010_x64.log.ico
Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\12khqy2i\12khqy2i.0.vb
Filesize
378B

MD5
70af9c1b36eadb0975a3b7b6396d75aa

SHA1
ad3e32d8f6e4b45e39b25c4690914521e893db05

SHA256
65cc055af8a35f3bbe2cc55418c2fe338a35f298c3fc45a6c0421d6bf9ebfeaf

SHA512
39b764f186469afa343ba755ef2c15e4f82d928d85e787e3a910b4210cfb3fee0119127c11c7794ac5e5f818bd2feae8b462237792e458ceae39ad1f55e30f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\12khqy2i\12khqy2i.cmdline
Filesize
278B

MD5
06899f984e320709ee346f93b20b3835

SHA1
1fe9501c36bf70c58e657bdd883ac2d1db42920e

SHA256
0f9ae333ce16c1f41e38c1dccc094e911d94221c84fef475b41551bdba173dec

SHA512
24eef296e8422aa1a94807fd6f6bacea9ae15d459af1c10742d6c73c62101f62777164b17f7dbef881d7e9752472ea1cc14e4d1c41706e61e0ea1dfeed1aaf1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cpjer4z\3cpjer4z.0.vb
Filesize
376B

MD5
ec4a6c4c37c41025c6514c1ee717f9df

SHA1
396e60cefc15db8324c137c420d1b69be6cac00f

SHA256
72b07a8a7d88b81e3a65f1af9e988f4edb05944ee70ab87f14cd93b31589e9b7

SHA512
94eb5b790ede491b3250273385e81c03ef71a8f1a0249e8c2dc766c4cd3c79c35ed6dff3cabb06715f183866d7844f823140cf8c10c86caa7adb3956ff94a559

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cpjer4z\3cpjer4z.cmdline
Filesize
274B

MD5
dce1cc1545d0864c93ac31a418ab2a69

SHA1
6d8b4cf26e9df540a84117169a174b367dc8aa7d

SHA256
c70478241eb4115a64cdf5135f49d9b39926bbdd5e1a479e67f8eadb3a42b4c5

SHA512
45fcf0b0d252fac389841b58a0a01905da5af0eed843597c530bb2d5c0c74da4173f0df53ed8b77138e40a0705f70916ebffe7ef4b72ccf42dff958e6232a08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\47936297.exe
Filesize
305KB

MD5
9ff9e2eb4f1d5405de3a35c8a5c25366

SHA1
25db133181d55e92d6a29192a49e6eb2c060bd69

SHA256
f78ebe96629ef0bf102ddefe4c2f08ae66c76a3d9c4a82cc6e25dd306d6ce99d

SHA512
eac4c150331039d96af9ca4d258ce3fa1a8c4f621b8d8e59574d4dea7bee9de6ed4827460d6e849b85037feacabe9d39131b5d0423854955db7785780fc8a3a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4tb0qu4t\4tb0qu4t.0.vb
Filesize
358B

MD5
947bbeb4c36d980bb08d825efea9e864

SHA1
c0851e8f24dabfcc47b43cbe42a94902f5c91ef2

SHA256
23f3eb806036137b81e92672f88d3e011038301285a60a128bae6bf29e5a035a

SHA512
2589f015c969ab95d87e49da85128b93e1e0197f40be26becd534468c86b53b82e56f43d742276d3bd22393f37c0f5739d6c4552b027b5b02e5adf1877960ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4tb0qu4t\4tb0qu4t.cmdline
Filesize
237B

MD5
12e142f51c248331aae4c25362e3b868

SHA1
43f0ab46f62446e7ed79b18cac8c8116ced1bb19

SHA256
5ec323b545bd0898a24f42bdcbb00801a475a4762f98b00d023b643ec03fbc24

SHA512
65599039d9d35a3d69011f7bf0cb26535c004fd391ed08dc38703def3027e96a7108624e6dfb520f2749d65636f1558d8cbd0e17e41f740da580fdcac0cf88a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8262284.exe
Filesize
283KB

MD5
0e2fa137fc4dd4f99e4cda506bc8b645

SHA1
9ec9ef974cdf29d1b5f19ca6d2b89ee6f274bb13

SHA256
4d6350c54f1a3a58d4b25f315f5ac7b20e7f48533c1cef4e374d766cfbf4c5d6

SHA512
b845c48e90dac4ad27086cbea0c36ee5d7bed2192eaa18a2a3029dada86b392e89ad3eb40a2bdc2ecab7414c24ec0b9f2081f8f7d5ac5b176b28d21c2694ecfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\NRHXJvb.txt
Filesize
102B

MD5
ba2dccdfaaf1ef0773a1d2b9d3a80769

SHA1
09dbd1de347a7e2e1db96e0d0c020fbd8d58bdf4

SHA256
4d5510830365819abf6aa5c51dfdac67d0ccf0a9d1d6ad6c717337be1a28a9fa

SHA512
dae5d60809973a5f8aca4b9579c8ee0953cff6dc8e4d0b08ff15e1dea877b6edbf46b6a8ae0c30684d1f37dade30a2cb1ab2aa52fd7e35d679a2ef1ca18cde63

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB853.tmp
Filesize
6KB

MD5
7e330f74d42e46cd7a9caaa44a802ffa

SHA1
e048be17161e0cf15e976c49bcabacaa06e77694

SHA256
413da87e9d7532086fc22bcf400a2bf014c14d1033d010c7a97c2bbb98e34bb3

SHA512
733f3b0e7dbf15c8cedd4257a7452a8945313764f59731e7869f04293ad79809f12f03415c8a643ede9646ff5efcf701d3895459b8625850de0aad658eebf072

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB8F0.tmp
Filesize
6KB

MD5
cebc60a87858ee4ac1179c7747aa6e59

SHA1
d16367a36548af9f6f9043b46989079501d5a7b6

SHA256
924facd72126be85d75f2ac50ece6b08f8bf7359ccd45076f47661f72fa3f600

SHA512
9a39c19d16d683cb28b2b9dce8e1bb2ff2325b1011012acf18f86cf2e2a97f849044bb02f32caf37b3c91b85ea6f3e67edc35cb10c02007f182d52d1d8a42d4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB97C.tmp
Filesize
6KB

MD5
5524c92ce82fb7554b6e3eea076398f5

SHA1
21177e3a3363d4feb1daedd9994696ac4dd158e4

SHA256
f6a33eee78b2fbadc5e4f01d42b5c032ebcf17f8a795b0081e7d98b6c28d3304

SHA512
df8d0fa34fec758d4479eae71e319083dde260fe906e6b68c57b6dff33d9e2bb7bfc68c4f0d9e4d68e03bc699a4baa8105c6b522bd12e678adac66209fe4ddeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBA09.tmp
Filesize
6KB

MD5
90ea1f6a6746d38b9163eae473f010dd

SHA1
4046c96cb5d1b650443ffd58cfe3f854a029471e

SHA256
cf77408620b7b2447bad942615b89e8c35c871c4990afee2cbdc2b218184dbe6

SHA512
4feebc016ca5e91f45bb2da193ac4aa93fdbde2ca3ac4a82e7bde1de769d0893e788d3e1ef23e7c97ed7443c86c56a6169ad8efb0fa1bdb65dd479036409f7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBA76.tmp
Filesize
6KB

MD5
b3df9210db118dcb656b6e9c38635c38

SHA1
99305afc182c7b81908087877fca3298f56db645

SHA256
f8bbd3503f959749ed8d51d041e7bc0c996ec08190e1a8a382f3eca5537e9443

SHA512
03fb3898d1f8efba4c67048e42dec92b67295efee081a971c3cc9cf0f27f8d323c4916658177daa1a3b22564cca08b70b7740f6905d7997168b8e156e8f54465

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBAF3.tmp
Filesize
6KB

MD5
0569d0a1cef22a03f88b26ecc7aef1f9

SHA1
1c3b32028b2dbc523a0a6d3005f43e5ebbd3b750

SHA256
695e37201ea855ba1763d468d10c4c056e7a7f65f84fb08f7298176e73c4147c

SHA512
7d66a9962a6788594331d09d7fa4159f0ec3041d74405409b20436acccc2bc3ee307609a575c9f064111c4a0b32a5b49b35c7624eb097ad00cf440287048a9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBB70.tmp
Filesize
6KB

MD5
83b475e36cf42bdd733fe32822678ec5

SHA1
4341c37177358aa2eaa1716e598081188a5b8af9

SHA256
6baa9c68c2a36b066b5aae07f82f56af9be23f8e5d21aa0681f075c04d9ed9d7

SHA512
89e2bbcf3c27979fc48fb192b1688f9edd5a3911203ae17ed21c3f77505f27bc7f4ef69f6b91428c40b15574de6945e0e2e0ec28b76025fd2f92874333cc116e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBC0C.tmp
Filesize
6KB

MD5
b61cf6dde7d8adf045976463d0e99794

SHA1
dbbbd08ce18a0900a1f203d14e89acd71028d088

SHA256
adce222359b9509613abbf639910ea39dc98f90eecab13ce4444cad24ca7fa8a

SHA512
24cf50ec1de584189f3a1aa3b0b932f3fc04f92614f667e89818827801db299f88d5ff5dd3e7ceefd8025fb7bbf16eceef8d792c80384acb77922c80da2382a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBC89.tmp
Filesize
6KB

MD5
5a773b4e7d60b1af53fd22b166e4e830

SHA1
728e3585b5c445a508ded8f1beadfb0f0d8eefe5

SHA256
534b141506ec62471ee79c8d393e4f04af51f4e3c2b221ad50811be72443ac3f

SHA512
5138323e03e3f4400e1a6c7621c82788b7ef4b58d5e11b5526f2fdffe942f98b80a6a82e5b82536f5845278ff8b704a131ebd6b56bcc785525639db08123bc19

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBD16.tmp
Filesize
6KB

MD5
29ed1e429c4205d389fab974efc2d373

SHA1
376c9cf0f3caf28da45c02bbf97446fadd01cd66

SHA256
72e97cfd5049ab07e20abecddfff97a4a8989551898fa24fa2242189c4f9876b

SHA512
cd5258ac83a076cc560643fd7e56c04611f0ea87dccfddbc6290b6e13a1c06fc73810d440ca96df01ac0ff760754569c950ad0da28b5cc0529258c3399d9f83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBD83.tmp
Filesize
6KB

MD5
3f25b4e6960cb269d6ebcf9739b18aeb

SHA1
cfa9c86e2317e39819abf7400f9721d77722597b

SHA256
ae11170ba06e05d6a44050849dd33dbcad9be42c1f8a9fe5c3189852575b4ead

SHA512
b2b35469b226d8f81730e645db9fac394a9fef8f2a074906176b9f19fe498d0d3267cfa102b52af8f5b4fd559aa41d3fbde1ef11090b35cabd68703998d248d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBDF1.tmp
Filesize
6KB

MD5
4f6a8716f937200802b95b1abb9bba02

SHA1
09f4bbb8ba943c7ccdaec040e5e590594b7f479e

SHA256
dc0180f3cc1c9c69b8f76e0d9ed49fb6657991f79eb79d6945ed5bcc32f62b20

SHA512
cd90c1831cd5337ebc424a5bb82364fafe744bc4f0309a032a6c34c3aa46f6775695f455169ec153ecb22fd8e224e2c9f2f575e020eb2dc043251f54bb47cf6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ausivba1\ausivba1.0.vb
Filesize
372B

MD5
4f16bc8195bf8faffcb7143004f6b98d

SHA1
d8108fdb15755c22cd5df165a137b5d2af5bc938

SHA256
8d22deda1240345582850f7211306b82fbe8cc9f8a84f9fe3ca5ce3ac03be844

SHA512
be5a0f8b45170edcf250c5c822f63697da5e378fff6bbf52fbd65beb17a0683b2de1dc353eeacace0cac0ddeb389528ec34eabedb66df38a34d707d2640bdd28

Download Submit
C:\Users\Admin\AppData\Local\Temp\ausivba1\ausivba1.cmdline
Filesize
266B

MD5
2749635ccc5191844d589f99bafecb5d

SHA1
5bf5ffab27aea09cbc8fb5ac3fed0fefe4086faa

SHA256
ebe61319a6f31c3802c9fbaaaabcc2ed92c9e185a6940e97ecf26e7a5e186ce6

SHA512
6c07324c4e0d34648737cdc21361a241c9cc16490f9d0d25c38c9e39d971ff50fad78df34b5ce3b5a9b42ded8882eb7a81660bb2e790a907732cff0ee31453d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0tsfwmq\e0tsfwmq.0.vb
Filesize
376B

MD5
9142a18b01ff279872841047b51af510

SHA1
5c2d3e41d89c3a9c3bdc501517eca75e0f7696f5

SHA256
5b349f3c62b28fb90ff3a3dece5af80ef2f43411b8bd69cb0b36249dbe4c0f50

SHA512
bab3f2e8cd81497cf470cbce824e15f12df96e498498fd839a44abb50b841ba1cab82f3b3f4935877bf4efae2d5daa6ea7726ba4cc5499cdc799e401d9820424

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0tsfwmq\e0tsfwmq.cmdline
Filesize
274B

MD5
d3c80d6b6d7fa30ed7998610426a99ef

SHA1
3b9624831ba216a53631659e0ebb94d0c9a389f8

SHA256
9f2b96318506761f13f7c8b047a84eee1eda46653b19d014f62341b953e803a7

SHA512
7dbab541b788de106d7d85c5bc30dfc26188bcbe74ada1a133bc3691be88d4a3e7605ef115b48047bdb371fddee3afca8948ccbf2b849d8307fedc30506d39d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hq5kqbuh\hq5kqbuh.0.vb
Filesize
372B

MD5
3dfc1912d533d8a58c7519120f72503c

SHA1
64a80c0efedd49a66e20d662069666a7816fd626

SHA256
7c50bd6ab1f3c9fae4acf6caa9a9de944dae58f8c12e99770f8caafb265a1494

SHA512
91122647b4d7ed5137c63a9ce9a870918c675d90df27d47b9b06d6932432fc17c7eed0cd8d1e50638e8be811cbc2f83f5e3a01dac5e16c2644e86ceedc4c4f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hq5kqbuh\hq5kqbuh.cmdline
Filesize
266B

MD5
d58eb6b54d0023eca0cd73df08595d6e

SHA1
5eee2e50b21a7a332b4726fc83b1163256d8da17

SHA256
b1424d57bc3d6e0cf570b5fd993c808e936b48bea9ef85ddea4198a6d1fe6d2a

SHA512
007cd7126f8a7f80eb8628bdb1c1ee5eee455cf7ddc2c2d904ac8aed2f4818f1e1238aa704dc8ef081570d14ee41aa917ee20f51e89b7c5cfaaaa85e260ebc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\lggdby1s\lggdby1s.0.vb
Filesize
350B

MD5
b509947ba261f580c3ae3cf6a66227ed

SHA1
7e762c787a212fa5ca2f98a082de67e4825a01ce

SHA256
db024069fa3ae426b56383d89db603a25c28306e54132961d4a30fbfd68723f8

SHA512
14653dcb0322041c2f0ae5018eb2c4eae0448dee2240db42b015311767071d0ecd0756f0482f0c396dcd0418dc8b1a1036243108302eb1c91e6ef9e6faffb49a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lggdby1s\lggdby1s.cmdline
Filesize
222B

MD5
50027db9945080f7a3136bfb980796cb

SHA1
f0393bfdaa966288222759814ad1667370e76064

SHA256
da5077295395ab9ff18094df0764e15c1a130c8bb99dfeafa1a9579f51d34470

SHA512
026534eda5e034d8133976e618c9c6cdd272a0f2a5f8bc3c2f40484e450a2db74fe7e1b7838cc388ccb67ab98c9c7ff2393df801cea4e3c9bc1dc03c2582affc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujoxiyoi\ujoxiyoi.0.vb
Filesize
358B

MD5
5468e283cbe84c3f87136870c07f13a4

SHA1
1625c084c011837f40a489ffc75e1d57a2886dbc

SHA256
f59f43e9ee0aec96a0d838ab5469a198a39a3c8b0c68c6538da5103953c007ca

SHA512
dc3d26f9efd6e023ed1530a912a26961b2ac16037fa71aec3ad4c16069c2ad0444dee5157552f960b2f7953708169392ce2e7af6786452dec221240449b0ef0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujoxiyoi\ujoxiyoi.cmdline
Filesize
237B

MD5
fd811ed93a343a5524c0fabb2da78483

SHA1
dc28c939d756285eb4c91ca345781334e5f681a9

SHA256
904bb09a8cdc110f4c25b3371b04910fbf34a4f1a8cca679e004b58f56cdd71f

SHA512
8fa931eb6ae97896110a98c0c40ada5b37b21800c814d0b3eb7f815d7e1041789986d6f7e4bbac68e111dbbfe7f2e35949654707c1c0913645b48f77f9cd18e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1425AF5D7C244B7B7879283E512657.TMP
Filesize
5KB

MD5
2c5cafca48c8d6fe4d1fa6a80c68a7a4

SHA1
5dc8ff4bdb9ff9bf181d1371b80f034819631801

SHA256
ac37003fe12ade867384b99f197bfadd3d32a99eacced6a7cf9487b4b5fe6d43

SHA512
31aef9174de2d8276f10ef0c80054357e05a5485c22f90eb4f19c4f514b36529859747ecd6b15f252deb3c20961b470a944753e1214ffc1abf37fe401d88093f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc18DD6EF6B1834C44A8E2FCA6F9CA201C.TMP
Filesize
5KB

MD5
5e95bd5730fa77a2bffebaa8c2524adc

SHA1
5ee9a598454cd8040bb9a5e48576a2f54d8718d4

SHA256
65351d77d5230172bf6e310b9e8fc40fce2b55476c10818ba11b3422e8a432d5

SHA512
c2d7605ceb2f3481d664fd5583fa9b8cdf4e2b4c6fe30b7070f6d3a60002dd1f46d9cbc8c0a2f52f5c9049a562c1b46d7c71e5a7d4cbecffbe08633fa26735a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1CAD108A41B44CCEA1F6198775C32C.TMP
Filesize
5KB

MD5
c9e82f1c503a502ddf8c1541ca201cb5

SHA1
00383211cba606246080a9d268aaa1e5072d40d8

SHA256
64bfab8edf402374a17a08a1d365304dbd3f26937f1caa74e43d6b6bdc7f64cc

SHA512
fba125d6940183d437335c2ce3a930d1196ed0765d23d71043b3e2f097a46ed88ad30c14efb6ca35b5cb218c4cab891a174f79b401fb3670121d2e2a7d6815d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc25F8D46273A84CA09560FBF9A3E39ADE.TMP
Filesize
5KB

MD5
b496aac40c58f2ef341740e6f8476241

SHA1
90536b1e56f1aa68d7c3b493ff99c63492bb9896

SHA256
978b9122a336b6722d953d11b319e8db62a0e51277a45021d7ca96d41fca204f

SHA512
c3253e6bb679d42f5e386b0136b1e8ca88c3a34718213073c0260d202d95b962a4121bb0a452d3059551b42b4e2cd84e1d23b2ff76173ec711e9f1e09c996496

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc54F0A262E924021AAC21A74BC785688.TMP
Filesize
5KB

MD5
388c3b323363c06f4b7d2f6c4f64f6ce

SHA1
f4f43724e4d67028566150d88228834c316c56ba

SHA256
53a787e6cc777cd682c8ca5bd35253d9c1def459796f18e694bedddfc6d2fdbf

SHA512
6b0ef7e8538392eecb47afd3ee2d2c5187fc87b7ce890ff661f977e778b931d6969193373ebaada6aec4e62d5d354e49e345752628af7953e201b14a2391e64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6EA413E61EDE4981B31F69A8C9710B9.TMP
Filesize
5KB

MD5
00d94705062aee9661956251f5a0756d

SHA1
e0befbd6aae745b6466fbc14cf06f9b29a2c3206

SHA256
20567e632f4c8e35b20d0c296b2fa37e5e24bf857b21cbc94a020f79e442b453

SHA512
d6fc786ca12a68b68f37d575c2d7241fece2d407fd840d05c90e15486e6329c521ba57d3008dee7098f5e6ec581e4cc22a12eeb667436547258788240bc4e6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc70B599A5141E44FB855FEB114B356B34.TMP
Filesize
5KB

MD5
8816d949de547c849ee859103930780e

SHA1
b64e21d7cdc3e8a18069a0e5b1de9cf32888caad

SHA256
8851eb5f03e9c837301174363ea9f076fee5427b8b227c69ded82c610ce1d302

SHA512
0372edd9f5de51170393d6c48f22da41aab6e0e464b859288f27a0a0844b58c0825277629e7b717e3de4c94e6da55c5c232d4a1c83b3dad2effaa147a1d5d6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9004429168E54F8E9C217FDA99966174.TMP
Filesize
5KB

MD5
2d4d7ce2956236cdcba7d30748f25e95

SHA1
8ea12b35ff98b7ca2e60b310fe114f201596da86

SHA256
dbc0fb5a877703e6b6bb2c4246655c6f633b944bb90db55d758185cb92d83b6c

SHA512
0b20eb0e07f7b44b087e73ecaa94bd23a5e6dc2b74bd22f4e641a2b5ebd03e6ce8c534003e2d07e1996d7d5ea8124b9a2a79930f76e90e3d740d9b49f7614551

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc927F33D813D24EEA8C285150976B4194.TMP
Filesize
5KB

MD5
60c045fd5f525cbeb23660fbe7a49a65

SHA1
1424a27b5c3a7626e395cd58c7f4f77fa6bd3238

SHA256
5f251fdc5563215f352b252c0655138861ed27ed043409f22b9a856756b0c1f7

SHA512
fb4a7e1c52f5c16b2bd062e9b48c8cb186caeab6d88287b8f207ef393bca2ec7b8e92e644b658ffe394587f77bc576aa63d54709acce786023f2c98047df44dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCD3EFCA8EB7C461B862C8FB4B6585FA9.TMP
Filesize
5KB

MD5
288cc7e790c325aeeced08cfa4ce385b

SHA1
ab8b228d10048de1c8181b1328c0a6896fe23394

SHA256
822ceb96371ccc29c933ec448c2faddf1c6e687c9624fc27f7515e1f8ecb1a7d

SHA512
79f7d0ce81bbb4543704a2c8d00d32af04c4981f0d5913ab4c6bb8bc64b51df6c54c25c84cf9084aea8665b52a3b38d366c0ea0f261125333a213392b2ca76a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE5187018BA9E48BFB8EB2BEF5A8073B4.TMP
Filesize
5KB

MD5
252fd46a5b3cd72411a783cabb14f35d

SHA1
5a83faacc65b91265a07c4b2c8c17e89f4f0c3e2

SHA256
157e9d2f36dfd53cc6fa365f2ccb98c339d20731bc884900ecea8a0f98376452

SHA512
9dc55af674b81b4b95f838385d1f1596a86d5040c7f8a2587a0556df7e1478eb4cc65b84667269d1397c71ec1d3729a039bd40105448a5433d365fab5a08fe7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEE21628FB5534A549C396D9B3CAF28B.TMP
Filesize
5KB

MD5
a5dedb56c3f55e0fedd4bc8a094b9e29

SHA1
e52a59e775c4c5b8b6e5547d12c229405df2dcd8

SHA256
0ab53879d335a43d19b58212bc602b942904b3505f3cc24eef3afd7d3a4e9012

SHA512
c1c52e1b49d47b2f20b7874bfcc20a6c9c23bcd355ff496abd0a37db2bc7e7dacb4c50d483235014e070a2b6e5154bf150d48ade13c8599b36ddbfc995055863

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh4lqrvs\xh4lqrvs.0.vb
Filesize
379B

MD5
0d4174c11e206d3bad116dcc684782cc

SHA1
2e12d3e6dd5a25a90b2b9ea69020ecc04a5fa8dc

SHA256
c7a4202afe745612af78b3abd57b5187106aeca58fed11f725eab06040b18bc0

SHA512
769902f903486f824d9bf76ef7892bd1711932617171f7d3ccdf550ae171cadb65d86fd8a4994df21aaa121ac18981f165f47236a0d20185691083656d600a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh4lqrvs\xh4lqrvs.cmdline
Filesize
280B

MD5
20d4f4285b700a214238c48a2ab5f81c

SHA1
a4d8b88fdf6f2029c6057c69db5341d4bc7c2ce6

SHA256
96e36babecd2ffb43c3787fcc1bc8b778f9616df3e56bbcc3e292f4010b57680

SHA512
91dde8000e02363a162f3c7300fd5d15feebf45dc0b5bc01356e29e9311844f475978bbe10989c61bf8e9330218cdd2a009930945d285a6e8deba8e9680585ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjlouxzq\xjlouxzq.0.vb
Filesize
378B

MD5
a25ab47471edf1ddfde1ac6dfefbdf5c

SHA1
38fe981ac57cb369ec38e3f07841cc7905bf70a0

SHA256
3502f5923531697e38c623c4fd6b6f47c25d9e819f016b84273ab08ea2fd92f9

SHA512
66e7e1b930062a7778de85be4dc14d60af0502bd1ec479d28ef8105c469006f6f7d531fbf4dd92894249079b29c20249dd8ba3fe814290aa9845e02efb59747d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjlouxzq\xjlouxzq.cmdline
Filesize
278B

MD5
773e1b18e046e4864b460800a68cda76

SHA1
95f423cccec5f7817965619c3b733016cc251492

SHA256
ae9ed7606a816c1dfabb22d359d3819d19102a59066e1011e7b104059b8148b5

SHA512
1f968aa14161dcae2e8bfbfa54ffe5ed0cdc3eed53f10e9832feb3066a0a71fad593bcfc4225f730213253292a55097cd0f8e5e261c30e68802dab7a34e612e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtsnxkbw\xtsnxkbw.0.vb
Filesize
381B

MD5
56353dbafcab3482384f52e9926aeff9

SHA1
409782553e47a46675e2d300708fa6f45e0fd974

SHA256
397c249dc9c6d1b4c435de8dd2d20b3bdae6f83e57c6812c63df8437a24ea8ec

SHA512
49c5188d9e45fb8ceb32ab24f5217ed5d16f037ce798d9d5b759b63dc4d4227cfb50408d77cd2c545cc5c67c7cb7d8c87634678d65e1e295207da063ed9c5e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtsnxkbw\xtsnxkbw.cmdline
Filesize
284B

MD5
baeb68279eba88278198d6b2b6812bc5

SHA1
58d95272ad320d966d1c507948498091855034af

SHA256
d82523e46518a432bf8c861f466b3b31b766313705d3f4e07e5b4235199b6766

SHA512
7443a1f2a7ed5f70ced08ec7d586a5a7b3a48ee947fbae82ca4ce5b04a8dd11c5ccbbb7cf4d1652f55a76f71da18596ee0e7b4d62b39e28a5d30f556ad9cdb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\yxjjjyq5\yxjjjyq5.0.vb
Filesize
379B

MD5
39f1090051deb4a4a43bd29b8814dfb8

SHA1
dc42c563bb81474709203426de65d06218cec279

SHA256
d08fc6785cc2c58653d2c660a0ef631524610bd247aa6fc992527c7e1042ab47

SHA512
9b794441eb4cd585b97404de86c3987c3c119bd5692daf9d7aa33f16283f2a3ce472d431304500cb65535b7ebb6b2da49a85b97ca79ab202b4d85dca99b37cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yxjjjyq5\yxjjjyq5.cmdline
Filesize
280B

MD5
685795d6768bc27868c0a89e3edfaf7f

SHA1
13d3f65fc119db32c4601ea610893f14a12783fc

SHA256
dd79e5ddb295f7e1eafdaa7bc87a24cbb0432e7ee6245af46fa64e6f3cd3147d

SHA512
72afbded186b5934b4411646a4de1e76fce48b8d586e87270f335890c44a13c317041b33a79fcbaf75a0711bf41272fd65eb00a17667d2fc7563fd3a04697799

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzmvxfcc\zzmvxfcc.0.vb
Filesize
381B

MD5
e12c96de46debdd20e91958031bfcc54

SHA1
be562249eb536b4f772b719a798d136b39bc07d7

SHA256
d4c706d54244d4a4525f728baeba2f0c43a3a1d4971f99a291fe2d16f9348bef

SHA512
f5441352ba29b8f00a86d9f67c7eef9425d09a67fb4c2e88173c4012bfe16401ed942a182c5f8e4bd87551430764f661acabbed032ff219e5e5c3b09ff136353

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzmvxfcc\zzmvxfcc.cmdline
Filesize
284B

MD5
133b3533beca009d017bf4c86d9bc60a

SHA1
c0cf87ef9f72ea9c425ef373aec350bd5e442b4d

SHA256
3ef877aae3a16166ec33469e1b3615e5980dd971afe53d70feea4bfe64d334f3

SHA512
fc50a228c46ac992f9fc01b8fb01c7076f8049a8c3af3db7eecec194309635868448c30fb4414de5368dcefe76b564f3f3b0ac480f831d397c6aa12e264851f1

Download Submit
C:\Users\Admin\Documents\OPEN_ME.txt
Filesize
1KB

MD5
7f334c0bdedefade207b4a8a5e29c9f5

SHA1
1ed67865be5a3323dff223fcb440d1652aed8030

SHA256
6f520eca1afef05df125b8fbcb238dc19df86aa5ac0e8d7e99e711713c9355df

SHA512
ba26091c71a66f59b80d61ca228b3e31999d8b87fec4bca5339af863770259e7cb5bfc2f1f39542bf7d4371ec4b307f8e433c56373db86a00a48af33a79e1764

Download Submit
C:\Windows\SysWOW64\Win32NT.exe
Filesize
591KB

MD5
a1c0029daca1846904be23abfdda0191

SHA1
747db08943b456b9fd3c583bb9d5d256e6543e55

SHA256
bc9f8a179b61a96f922697277c63b16dd6e04a571a21e3b2dfe2c274375d9f45

SHA512
0aa83ae6a3e43ecc70ec77e379c6a1e7915763c623b26a65981612b17b9b9a65787c318088961839c3b95e7f382893582759fa2f2049a02bf8ce82c34bc595a9

Download Submit
memory/380-848-0x000000006F4D0000-0x000000006FA81000-memory.dmp

Filesize
5.7MB

Download
memory/380-849-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/380-855-0x000000006F4D0000-0x000000006FA81000-memory.dmp

Filesize
5.7MB

Download
memory/380-850-0x000000006F4D0000-0x000000006FA81000-memory.dmp

Filesize
5.7MB

Download
memory/1604-369-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/1604-366-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/2808-18-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/2808-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2808-19-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/2808-16-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/2808-15-0x0000000004D90000-0x0000000004DAA000-memory.dmp

Filesize
104KB

Download
memory/3160-416-0x00007FFFC76A0000-0x00007FFFC8161000-memory.dmp

Filesize
10.8MB

Download
memory/3160-403-0x0000000000F70000-0x0000000000FBC000-memory.dmp

Filesize
304KB

Download
memory/3160-405-0x00007FFFC76A0000-0x00007FFFC8161000-memory.dmp

Filesize
10.8MB

Download
memory/3188-356-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/3188-361-0x000000006F220000-0x000000006F7D1000-memory.dmp

Filesize
5.7MB

Download
memory/3188-357-0x000000006F220000-0x000000006F7D1000-memory.dmp

Filesize
5.7MB

Download
memory/3188-354-0x000000006F220000-0x000000006F7D1000-memory.dmp

Filesize
5.7MB

Download
memory/3208-847-0x00007FFFC76A0000-0x00007FFFC8161000-memory.dmp

Filesize
10.8MB

Download
memory/3208-417-0x00007FFFC76A0000-0x00007FFFC8161000-memory.dmp

Filesize
10.8MB

Download
memory/3976-631-0x00007FFFC76A0000-0x00007FFFC8161000-memory.dmp

Filesize
10.8MB

Download
memory/3976-428-0x00007FFFC76A0000-0x00007FFFC8161000-memory.dmp

Filesize
10.8MB

Download
memory/4004-0-0x00000000745B0000-0x0000000074B61000-memory.dmp

Filesize
5.7MB

Download
memory/4004-6-0x00000000745B0000-0x0000000074B61000-memory.dmp

Filesize
5.7MB

Download
memory/4004-1-0x00000000745B0000-0x0000000074B61000-memory.dmp

Filesize
5.7MB

Download
memory/4004-2-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/4012-859-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/4012-856-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/4012-858-0x0000000005B40000-0x0000000005B50000-memory.dmp

Filesize
64KB

Download
memory/4052-429-0x00007FFFC76A0000-0x00007FFFC8161000-memory.dmp

Filesize
10.8MB

Download
memory/4052-401-0x0000000000CE0000-0x0000000000D32000-memory.dmp

Filesize
328KB

Download
memory/4052-404-0x00007FFFC76A0000-0x00007FFFC8161000-memory.dmp

Filesize
10.8MB

Download
memory/4504-862-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/4504-861-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/4504-860-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/4576-368-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/4576-367-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/4576-365-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/4576-363-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/4860-20-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/4860-24-0x0000000006D20000-0x0000000006DB2000-memory.dmp

Filesize
584KB

Download
memory/4860-4-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4860-14-0x0000000005C20000-0x0000000005C30000-memory.dmp

Filesize
64KB

Download
memory/4860-7-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4860-11-0x0000000005B20000-0x0000000005B86000-memory.dmp

Filesize
408KB

Download
memory/4860-8-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/4860-9-0x0000000005900000-0x000000000599C000-memory.dmp

Filesize
624KB

Download
memory/4860-355-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/4860-21-0x0000000005C20000-0x0000000005C30000-memory.dmp

Filesize
64KB

Download
memory/4860-10-0x0000000005F50000-0x00000000064F4000-memory.dmp

Filesize
5.6MB

Download