cerber | b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb

Analysis

max time kernel
9s
max time network
131s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09-06-2024 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
Size

1.2MB
MD5

44a259805268ce9dafc43aebfbb5e40f
SHA1

fc6880a063418ecdcb9db640612a4d5ecedaeeb2
SHA256

b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb
SHA512

1f1db6827ef29189e75f06f85608120202d096169127e189d6e4061a8cd1caa42b1a91587cf4f8602ecfde0908642d0388141fe44eef939a44f687a86531923b
SSDEEP

12288:p6SlL8qX0+SWaAg0Rj1aV1RY7Q6/gnKmcMdsx/3Ot3s8fjVOJ/i6h62G0Go01x4y:p6SlL8qX0+S/0RstwxA8M

Score

10^/10

cerber discovery ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_HELP_HELP_HELP_CC86QNJK_.hta

Ransom Note

☑ English CERBER RANSOMWARE Instructions ☑ Select your language English العربية 中文 Nederlands Français Deutsch Italiano 日本語 한국어 Polski Português Español Türkçe Can't you find the necessary files? Is the content of your files not readable? It is normal because the files' names and the data in your files have been encrypted by "Cerber Ransomware". It means your files are NOT damaged! Your files are modified only. This modification is reversible. From now it is not possible to use your files until they will be decrypted. The only way to decrypt your files safely is to buy the special decryption software "Cerber Decryptor". Any attempts to restore your files with the third-party software will be fatal for your files! You can proceed with purchasing of the decryption software at your personal page: Please wait... http://p27dokhpz2n7nvgr.tor2web.org/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.link/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.nu/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.cab/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.to/6A10-8F58-F0A2-0006-4656 If this page cannot be opened click here to get a new address of your personal page. If the address of your personal page is the same as before after you tried to get a new one, you can try to get a new address in one hour. At this page you will receive the complete instructions how to buy the decryption software for restoring all your files. Also at this page you will be able to restore any one file for free to be sure "Cerber Decryptor" will help you. If your personal page is not available for a long period there is another way to open your personal page - installation and use of Tor Browser: run your Internet browser (if you do not know what it is run the Internet Explorer); enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; wait for the site loading; on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; run Tor Browser; connect with the button "Connect" (if you use the English version); a normal Internet browser window will be opened after the initialization; type or copy the address http://p27dokhpz2n7nvgr.onion/6A10-8F58-F0A2-0006-4656 in this browser address bar; press ENTER; the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or use of Tor Browser, please, visit https://www.youtube.com and type request in the search bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use. Additional information: You will find the instructions ("*_HELP_HELP_HELP_*.hta") for restoring your files in any folder with your encrypted files. The instructions "*_HELP_HELP_HELP_*.hta" in the folders with your encrypted files are not viruses! The instructions "*_HELP_HELP_HELP_*.hta" will help you to decrypt your files. Remember! The worst situation already happened and now the future of your files depends on your determination and speed of your actions. لا يمكنك العثور على الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟ هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware". وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها. الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor". إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك! يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية: أرجو الإنتظار... http://p27dokhpz2n7nvgr.tor2web.org/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.link/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.nu/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.cab/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.to/6A10-8F58-F0A2-0006-4656 في حالة تعذر فتح هذه الصفحة انقر هنا لإنشاء عنوان جديد لصفحتك الشخصية. في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك. في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك. إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor: قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر); قم بكتابة أو نسخ العنوان https://www.torproject.org/download/download-easy.html.en إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER; انتظر لتحميل الموقع; سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت; قم بتشغيل متصفح Tor; اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية); سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء; قم بكتابة أو نسخ العنوان http://p27dokhpz2n7nvgr.onion/6A10-8F58-F0A2-0006-4656 في شريط العنوان في المتصفح; اضغط ENTER; يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى. إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة https://www.youtube.com واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه. معلومات إضافية: سوف تجد إرشادات استعادة الملفات الخاصة بك ("*_HELP_HELP_HELP_*") في أي مجلد مع ملفاتك المشفرة. الإرشادات ("*_HELP_HELP_HELP_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_HELP_HELP_HELP_*") سوف تساعدك على فك تشفير الملفات الخاصة بك. تذكر أن أسوأ موقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك. 您找不到所需的文件？您文件的内容无法阅读？这是正常的，因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。这意味着您的文件并没有损坏！您的文件只是被修改了，这个修改是可逆的，解密之前您无法使用您的文件。安全解密您文件的唯一方式是购买特别的解密软件“Cerber Decryptor”。任何使用第三方软件恢复您文件的方式对您的文件来说都将是致命的！您可以在您的个人页面上购买解密软件：请稍候... http://p27dokhpz2n7nvgr.tor2web.org/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.link/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.nu/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.cab/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.to/6A10-8F58-F0A2-0006-4656 如果这个页面无法打开，请点击这里生成您个人页面的新地址。您将在这个页面上看到如何购买解密软件以恢复您的文件。您可以在这个页面使用“Cerber Decryptor”免费恢复任何文件。如果您的个人页面长期不可用，有其他方法可以打开您的个人页面 - 安装并使用 Tor 浏览器：使用您的上网浏览器（如果您不知道使用 Internet Explorer 的话）；在浏览器的地址栏输入或复制地址 https://www.torproject.org/download/download-easy.html.en 并按 ENTER 键；等待站点加载；您将在站点上下载 Tor 浏览器；下载并运行它，按照安装指南进行操作，等待直至安装完成；运行 Tor 浏览器；使用“Connect”按钮进行连接（如果您使用英文版）；初始化之后将打开正常的上网浏览器窗口；在浏览器地址栏中输入或复制地址 http://p27dokhpz2n7nvgr.onion/6A10-8F58-F0A2-0006-4656 按 ENTER 键；该站点将加载；如果由于某些原因等待一会儿后没有加载，请重试。如果在安装期间或使用 Tor 浏览器期间有任何问题，请访问 https://www.baidu.com 并在搜索栏中输入“怎么安装 Tor 浏览器”，您将找到有关如何安装洋葱 Tor 浏览器的说明和教程。附加信息：您将在任何带有加密文件的文件夹中找到恢复您文件(“*_HELP_HELP_HELP_*.hta”)的说明。带有加密文件的文件夹中的(“*_HELP_HELP_HELP_*.hta”)说明不是病毒，(“*_HELP_HELP_HELP_*.hta”)说明将帮助您解密您的文件。请记住，最坏的情况都发生过了，您的文件还能不能用取决于您的决定和反应速度。 Kunt u de nodige files niet vinden? Is de inhoud van uw bestanden niet leesbaar? Het is gewoonlijk omdat de bestandsnamen en de gegevens in uw bestanden zijn versleuteld door “Cerber Ransomware”. Het betekent dat uw bestanden NIET beschadigd zijn! Uw bestanden zijn alleen gewijzigd. Deze wijziging is omkeerbaar. Vanaf nu is het niet mogelijk uw bestanden te gebruiken totdat ze ontsleuteld zijn. De enige manier om uw bestanden veilig te ontsleutelen is door de speciale ontsleutel-software “Cerber Decryptor” te kopen. Elke poging om uw bestanden te herstellen met software van een derde partij zal fataal zijn voor uw bestanden! U kunt op uw persoonlijke pagina de ontsleutel-software kopen: Even geduld aub... http://p27dokhpz2n7nvgr.tor2web.org/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.link/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.nu/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.cab/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.to/6A10-8F58-F0A2-0006-4656 Als deze pagina niet geopend kan worden klik dan hier om een nieuw adres aan uw persoonlijke pagina toe te voegen. Op deze pagina zult u de complete instructies ontvangen hoe u de ontsleutel-software kunt kopen om al uw bestanden te herstellen. Op deze pagina kunt u ook één file gratis herstellen om u ervan te verzekeren dat “Cerber Decryptor” u zal helpen. Als uw persoonlijke pagina langere tijd niet beschikbaar is, is er een andere manier om uw persoonlijke pagina te openen – het installeren en gebruiken van Tor Browser: start uw internet browser (als u niet weet welke dat is, start dan Internet Explorer); voer het adres in of kopieer het adres https://www.torproject.org/download/download-easy.html.en in de adresbalk van uw browser en druk op ENTER; wacht totdat de site laadt; op de site wordt u aangeboden om de Tor Browser te laden; downloadt het en voer het uit, volg de installatie instructies, en wacht totdat de installatie compleet is; voer Tor Browser uit; maak verbinding met de knop “Connect” (als u de Engelse versie gebruikt); een normale Internet browser zal openen na de installatie; typ of kopieer het adres http://p27dokhpz2n7nvgr.onion/6A10-8F58-F0A2-0006-4656 in de adresbalk van uw browser; druk ENTER; de site zou moeten laden; als om enige reden de site niet laadt, wacht dan even en probeer opnieuw. Indien uw problemen heeft tijdens de installatie of het gebruik van Tor Browser, ga dan naar https://www.youtube.com en typ in de zoekbalk “install tor browser windows” en u zult een heleboel training video’s vinden over de installatie en het gebruik van Tor Browser. Aanvullende informatie: U vindt de instructies om uw bestanden te herstellen (“*_HELP_HELP_HELP_*.hta”) in elke folder met uw versleutelde bestanden. De instructies (“*_HELP_HELP_HELP_*.hta”) in de folders met uw versleutelde bestanden zijn geen virussen, de instructies (“*_HELP_HELP_HELP_*.hta”) zal u helpen uw bestanden te ontsleutelen. Denk eraan, het ergste is al gebeurd en de toekomst van uw bestanden hangt af van uw vastberadenheid en de snelheid van uw acties. Vous ne trouvez pas les fichiers necessaires? Le contenu de vos fichiers n’est pas lisible? C’est normal car les noms des fichiers et des donnees dans vos fichiers ont ete cryptes par «Cerber Ransomware». Cela signifie que vos fichiers ne sont PAS endommages! Vos fichiers sont seulement modifies. Cette modification est reversible. A partir de maintenant, il n’est plus possible d’utiliser vos fichiers jusqu'a ce qu’ils soient decryptes. La seule facon de decrypter vos fichiers en toute securite est d’acheter le logiciel de decryptage special «Cerber Decryptor». Toute tentative visant a restaurer vos fichiers avec le logiciel tiers sera fatale pour vos fichiers! Vous pouvez proceder a l’achat du logiciel de decryptage sur votre page personnelle: S'il vous plaît, attendez... http://p27dokhpz2n7nvgr.tor2web.org/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.link/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.nu/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.cab/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.to/6A10-8F58-F0A2-0006-4656 Si vous ne pouvez pas ouvrir cette page cliquez ici pour generer une nouvelle adresse pour votre page personnelle. A cette page, vous recevrez les instructions completes sur la facon d'acheter le logiciel de decryptage pour la restauration de tous vos fichiers. Egalement a cette page, vous serez en mesure de restaurer n’importe quel fichier gratuitement pour etre sur que «Cerber Decryptor» vous aidera. Si votre page personnelle n’est pas disponible pendant une longue periode il y a une autre facon d’ouvrir votre page personnelle - installation et utilisation de Tor Browser: executez votre navigateur Internet (si vous ne savez pas ce que c’est, lancez Internet Explorer); saisissez ou copiez l’adresse https://www.torproject.org/download/download-easy.html.en dans la barre d’adresses de votre navigateur et appuyez sur ENTREE; attendez que le site charge; sur le site, il vous sera propose de telecharger Tor Browser; Telechargez et executez-le, suivez les instructions d’installation, attendez que l’installation se termine; lancez Tor Browser; connectez-vous avec le bouton «Connect» (si vous utilisez la version anglaise); une fenetre du navigateur Internet normale sera ouverte apres l’initialisation; tapez ou copiez l’adresse http://p27dokhpz2n7nvgr.onion/6A10-8F58-F0A2-0006-4656 dans cette barre d’adresse de navigateur; appuyez sur ENTREE; le site doit etre charge; Si pour une raison quelconque, le site ne se charge pas, attendez quelques instants et reessayez. Si vous avez des problemes pendant l’installation ou l’utilisation de Tor Browser, veuillez visiter https://www.youtube.com et saisir la demande dans la barre de recherche « installer la fenetre tor browser » vous y trouverez de nombreuses videos de formation sur l'installation et l'utilisation de Tor Browser. Informations supplementaires: Vous trouverez les instructions pour la restauration de fichiers («*_HELP_HELP_HELP_*.hta») dans n’importe quel dossier contenant vos fichiers cryptes. Les instructions («*_HELP_HELP_HELP_*.hta») dans les dossiers contenant vos fichiers cryptes ne sont pas des virus, les d’instructions («*_HELP_HELP_HELP_*.hta») vous aid

URLs

http://p27dokhpz2n7nvgr.tor2web.org/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.link/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.nu/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.cab/6A10-8F58-F0A2-0006-4656http://p27dokhpz2n7nvgr.onion.to/6A10-8F58-F0A2-0006-4656

http://p27dokhpz2n7nvgr.onion/6A10-8F58-F0A2-0006-4656

https://www.baidu.com

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (1095) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp2913.bmp"	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\steam	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\program files\	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\program files (x86)\office	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\program files (x86)\word	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\program files (x86)\the bat!	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\program files (x86)\onenote	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\program files (x86)\outlook	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\program files (x86)\	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\program files (x86)\excel	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2284	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1680	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2468	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2468	b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe

C:\Users\Admin\AppData\Local\Temp\b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe
"C:\Users\Admin\AppData\Local\Temp\b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe"
1⤵
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_HELP_HELP_HELP_CC86QNJK_.hta"
  2⤵
  PID:2556
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:2924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "b118f7bfeb377d3944bc7a7d3b7c907967ad6669697df69a036060328d4bc1eb.exe"
    3⤵
    - Kills process with taskkill
    PID:2284
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1680

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
PID:2856

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar47B1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\_HELP_HELP_HELP_CC86QNJK_.hta

Filesize
73KB

MD5
2b79885c6d3d0458894ff62ea2101b4b

SHA1
1dd90ef87d2607c90f89c95b829dde27566b9036

SHA256
ad58d27d7c28c6c5bcd3e043017771eb00620ce63bda16577e569b81e5b4e54e

SHA512
733909c1c5b27d48dcbfcbf74565acb6fd7e96e310dd80ae0064cb5ec42709de44396de4d58c87f268ad060e580673f2c134fec5067775995d423f1d15ce1bb2

Download Submit
C:\Users\Admin\Desktop\_HELP_HELP_HELP_G0RP4X9_.png

Filesize
426KB

MD5
761daa435ce3368018f3b0ea1f682b7f

SHA1
1d2b8bc4408033a294f4d9e0bdada2ec7877e5ba

SHA256
ff25bbccad4b51fc75729b86daf74b8f2aca8132b2e09f67d96f147267b0f62e

SHA512
fee8299e0aa64f72de11399f0cefc5686fe67e8b2e82e9c359dd3f8dfb93e69419bcf8b8ce48d215843249508259387d628c1c41dc85fe9605db62e8e4c4d657

Download Submit
memory/2468-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-1-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2468-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2468-70-0x0000000003B00000-0x0000000003B02000-memory.dmp

Filesize
8KB

Download
memory/2468-92-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2856-71-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download