teslacrypt | 91a23ebd232c1d96458e3b0870ec5507e547e6763bf99c5c7ca69a89e2a51267

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe
Size

388KB
MD5

27e887aa14f3890a72f06ec5d0759f20
SHA1

8bacf22533725fd98c254c8eb6852edbe225a0ef
SHA256

91a23ebd232c1d96458e3b0870ec5507e547e6763bf99c5c7ca69a89e2a51267
SHA512

56f420069c68e971069ef6d25a5944d50901d8c9de84f57a1bdb49371cfca117855afd4a6aecf1c6df96369ca3d19fe655c5a939a8b66d6fff6341de97259089
SSDEEP

12288:LhTjRwlkwFrnAEryLFcG3yBrZTRDgZ8zOhG6:F4DRw7325gPh

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ujerx.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/4E38C8C18A7A6CBA 2. http://kkd47eh4hdjshb5t.angortra.at/4E38C8C18A7A6CBA 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/4E38C8C18A7A6CBA If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/4E38C8C18A7A6CBA 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/4E38C8C18A7A6CBA http://kkd47eh4hdjshb5t.angortra.at/4E38C8C18A7A6CBA http://ytrest84y5i456hghadefdsd.pontogrot.com/4E38C8C18A7A6CBA *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/4E38C8C18A7A6CBA

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/4E38C8C18A7A6CBA

http://kkd47eh4hdjshb5t.angortra.at/4E38C8C18A7A6CBA

http://ytrest84y5i456hghadefdsd.pontogrot.com/4E38C8C18A7A6CBA

http://xlowfznrg4wf7dli.ONION/4E38C8C18A7A6CBA

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (405) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2748 cmd.exe

pid	process
2748	cmd.exe

Drops startup file 3 IoCs

Processes:

fbkuecfutijw.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ujerx.png	fbkuecfutijw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ujerx.txt	fbkuecfutijw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ujerx.html	fbkuecfutijw.exe

Executes dropped EXE 2 IoCs

Processes:

fbkuecfutijw.exefbkuecfutijw.exe

pid process

2524 fbkuecfutijw.exe
2888 fbkuecfutijw.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2524	fbkuecfutijw.exe
2888	fbkuecfutijw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fbkuecfutijw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvbojllgjplh = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\fbkuecfutijw.exe\""	fbkuecfutijw.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

VirusShare_27e887aa14f3890a72f06ec5d0759f20.exefbkuecfutijw.exe

description	pid	process	target process
PID 2976 set thread context of 2700	2976	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe
PID 2524 set thread context of 2888	2524	fbkuecfutijw.exe	fbkuecfutijw.exe

Drops file in Program Files directory 64 IoCs

Processes:

fbkuecfutijw.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\Recovery+ujerx.html	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\Recovery+ujerx.html	fbkuecfutijw.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\Recovery+ujerx.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\Recovery+ujerx.txt	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\Recovery+ujerx.txt	fbkuecfutijw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\Recovery+ujerx.html	fbkuecfutijw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\Recovery+ujerx.txt	fbkuecfutijw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\Recovery+ujerx.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\Recovery+ujerx.html	fbkuecfutijw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\Recovery+ujerx.txt	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\Recovery+ujerx.txt	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\Recovery+ujerx.html	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\Recovery+ujerx.html	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\Recovery+ujerx.txt	fbkuecfutijw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\Recovery+ujerx.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\Recovery+ujerx.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\Recovery+ujerx.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\settings.js	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\Recovery+ujerx.html	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\Recovery+ujerx.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\Recovery+ujerx.txt	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\Recovery+ujerx.html	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_WMC_LogoText.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_up.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Recovery+ujerx.txt	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\es-ES\Recovery+ujerx.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\Recovery+ujerx.html	fbkuecfutijw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\Recovery+ujerx.txt	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\Recovery+ujerx.html	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\Recovery+ujerx.html	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\Recovery+ujerx.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\Recovery+ujerx.txt	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_right.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\Recovery+ujerx.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\Recovery+ujerx.txt	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\Recovery+ujerx.txt	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Recovery+ujerx.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\Recovery+ujerx.html	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\Recovery+ujerx.txt	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_docked.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\Recovery+ujerx.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_hov.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\Recovery+ujerx.txt	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoDev.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\Recovery+ujerx.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\it-IT\Recovery+ujerx.txt	fbkuecfutijw.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\Recovery+ujerx.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\Recovery+ujerx.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\Recovery+ujerx.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\settings.css	fbkuecfutijw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_thunderstorm.png	fbkuecfutijw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\Recovery+ujerx.txt	fbkuecfutijw.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe

description	ioc	process
File created	C:\Windows\fbkuecfutijw.exe	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe
File opened for modification	C:\Windows\fbkuecfutijw.exe	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a07992ed23bbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000c53e53e667ba4f447dde5ac646cd52e9f8a18562f5734218148ff8f4b7aa1e0d000000000e80000000020000200000003463a6feb9d55abd901604f93bc7d7c88e088f622468c9cbcdc6d02aade2dd2590000000dea261e2a96b843c750aec88e08518c23d61f434f74f9542a4403a7cae84d4eb39b3897245d9e64625bcd87c8c37e352e0872af22960e752712179061387e87686f38dae44de8beba2008d476eda1794e5e05f9c59f31e07424adcde758666a629601b38a330ddf509b574b62656dad5a08416f0bb6887f16d152878bfab14c792b7a9fea666a0cfe025a41d9c7101ae40000000ba32c8989b78e045594d59760d9c861618f36ec9134264c24be9939bc526d2a45c63d03ddd14f5d8a5cefe6c6daaebc5cbfa1a40251ca9b6bef4556702449b33	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000002f998fe33e32c8934da8931c17ba849f909320db1b1a8b21fb988a638d7a088b000000000e80000000020000200000003d9e3368651db3a5890b3d2c969c298020b47ffb734b10ae464286dce693b428200000001ad80e7d45a6040303f46c7e69551e142eb277f1748d4558ad930bd2fe7d2a38400000006531c6199164cd0da34ae889df71e07f95b047d9c762a31201ba7972c5e738606f10d151d8007b39a2b4649fe566801555a54332a8e3e4bf71941fc4cb6d6d28	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{190CB911-2717-11EF-9A67-52FD63057C4C} = "0"	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

fbkuecfutijw.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	fbkuecfutijw.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	fbkuecfutijw.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	fbkuecfutijw.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	fbkuecfutijw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	fbkuecfutijw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	fbkuecfutijw.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2728 NOTEPAD.EXE

pid	process
2728	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fbkuecfutijw.exe

pid	process
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe
2888	fbkuecfutijw.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

VirusShare_27e887aa14f3890a72f06ec5d0759f20.exefbkuecfutijw.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2700	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe
Token: SeDebugPrivilege	2888	fbkuecfutijw.exe
Token: SeIncreaseQuotaPrivilege	2332	WMIC.exe
Token: SeSecurityPrivilege	2332	WMIC.exe
Token: SeTakeOwnershipPrivilege	2332	WMIC.exe
Token: SeLoadDriverPrivilege	2332	WMIC.exe
Token: SeSystemProfilePrivilege	2332	WMIC.exe
Token: SeSystemtimePrivilege	2332	WMIC.exe
Token: SeProfSingleProcessPrivilege	2332	WMIC.exe
Token: SeIncBasePriorityPrivilege	2332	WMIC.exe
Token: SeCreatePagefilePrivilege	2332	WMIC.exe
Token: SeBackupPrivilege	2332	WMIC.exe
Token: SeRestorePrivilege	2332	WMIC.exe
Token: SeShutdownPrivilege	2332	WMIC.exe
Token: SeDebugPrivilege	2332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2332	WMIC.exe
Token: SeRemoteShutdownPrivilege	2332	WMIC.exe
Token: SeUndockPrivilege	2332	WMIC.exe
Token: SeManageVolumePrivilege	2332	WMIC.exe
Token: 33	2332	WMIC.exe
Token: 34	2332	WMIC.exe
Token: 35	2332	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2828	WMIC.exe
Token: SeSecurityPrivilege	2828	WMIC.exe
Token: SeTakeOwnershipPrivilege	2828	WMIC.exe
Token: SeLoadDriverPrivilege	2828	WMIC.exe
Token: SeSystemProfilePrivilege	2828	WMIC.exe
Token: SeSystemtimePrivilege	2828	WMIC.exe
Token: SeProfSingleProcessPrivilege	2828	WMIC.exe
Token: SeIncBasePriorityPrivilege	2828	WMIC.exe
Token: SeCreatePagefilePrivilege	2828	WMIC.exe
Token: SeBackupPrivilege	2828	WMIC.exe
Token: SeRestorePrivilege	2828	WMIC.exe
Token: SeShutdownPrivilege	2828	WMIC.exe
Token: SeDebugPrivilege	2828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2828	WMIC.exe
Token: SeRemoteShutdownPrivilege	2828	WMIC.exe
Token: SeUndockPrivilege	2828	WMIC.exe
Token: SeManageVolumePrivilege	2828	WMIC.exe
Token: 33	2828	WMIC.exe
Token: 34	2828	WMIC.exe
Token: 35	2828	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

2920 iexplore.exe
1676 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2920 iexplore.exe
2920 iexplore.exe
2688 IEXPLORE.EXE
2688 IEXPLORE.EXE

pid	process
2920	iexplore.exe
1676	DllHost.exe

pid	process
2920	iexplore.exe
2920	iexplore.exe
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

VirusShare_27e887aa14f3890a72f06ec5d0759f20.exeVirusShare_27e887aa14f3890a72f06ec5d0759f20.exefbkuecfutijw.exefbkuecfutijw.exeiexplore.exe

description	pid	process	target process
PID 2976 wrote to memory of 2700	2976	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe
PID 2976 wrote to memory of 2700	2976	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe
PID 2976 wrote to memory of 2700	2976	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe
PID 2976 wrote to memory of 2700	2976	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe
PID 2976 wrote to memory of 2700	2976	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe
PID 2976 wrote to memory of 2700	2976	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe
PID 2976 wrote to memory of 2700	2976	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe
PID 2976 wrote to memory of 2700	2976	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe
PID 2976 wrote to memory of 2700	2976	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe
PID 2976 wrote to memory of 2700	2976	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe
PID 2976 wrote to memory of 2700	2976	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe
PID 2700 wrote to memory of 2524	2700	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe	fbkuecfutijw.exe
PID 2700 wrote to memory of 2524	2700	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe	fbkuecfutijw.exe
PID 2700 wrote to memory of 2524	2700	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe	fbkuecfutijw.exe
PID 2700 wrote to memory of 2524	2700	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe	fbkuecfutijw.exe
PID 2700 wrote to memory of 2748	2700	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe	cmd.exe
PID 2700 wrote to memory of 2748	2700	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe	cmd.exe
PID 2700 wrote to memory of 2748	2700	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe	cmd.exe
PID 2700 wrote to memory of 2748	2700	VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe	cmd.exe
PID 2524 wrote to memory of 2888	2524	fbkuecfutijw.exe	fbkuecfutijw.exe
PID 2524 wrote to memory of 2888	2524	fbkuecfutijw.exe	fbkuecfutijw.exe
PID 2524 wrote to memory of 2888	2524	fbkuecfutijw.exe	fbkuecfutijw.exe
PID 2524 wrote to memory of 2888	2524	fbkuecfutijw.exe	fbkuecfutijw.exe
PID 2524 wrote to memory of 2888	2524	fbkuecfutijw.exe	fbkuecfutijw.exe
PID 2524 wrote to memory of 2888	2524	fbkuecfutijw.exe	fbkuecfutijw.exe
PID 2524 wrote to memory of 2888	2524	fbkuecfutijw.exe	fbkuecfutijw.exe
PID 2524 wrote to memory of 2888	2524	fbkuecfutijw.exe	fbkuecfutijw.exe
PID 2524 wrote to memory of 2888	2524	fbkuecfutijw.exe	fbkuecfutijw.exe
PID 2524 wrote to memory of 2888	2524	fbkuecfutijw.exe	fbkuecfutijw.exe
PID 2524 wrote to memory of 2888	2524	fbkuecfutijw.exe	fbkuecfutijw.exe
PID 2888 wrote to memory of 2332	2888	fbkuecfutijw.exe	WMIC.exe
PID 2888 wrote to memory of 2332	2888	fbkuecfutijw.exe	WMIC.exe
PID 2888 wrote to memory of 2332	2888	fbkuecfutijw.exe	WMIC.exe
PID 2888 wrote to memory of 2332	2888	fbkuecfutijw.exe	WMIC.exe
PID 2888 wrote to memory of 2728	2888	fbkuecfutijw.exe	NOTEPAD.EXE
PID 2888 wrote to memory of 2728	2888	fbkuecfutijw.exe	NOTEPAD.EXE
PID 2888 wrote to memory of 2728	2888	fbkuecfutijw.exe	NOTEPAD.EXE
PID 2888 wrote to memory of 2728	2888	fbkuecfutijw.exe	NOTEPAD.EXE
PID 2888 wrote to memory of 2920	2888	fbkuecfutijw.exe	iexplore.exe
PID 2888 wrote to memory of 2920	2888	fbkuecfutijw.exe	iexplore.exe
PID 2888 wrote to memory of 2920	2888	fbkuecfutijw.exe	iexplore.exe
PID 2888 wrote to memory of 2920	2888	fbkuecfutijw.exe	iexplore.exe
PID 2920 wrote to memory of 2688	2920	iexplore.exe	IEXPLORE.EXE
PID 2920 wrote to memory of 2688	2920	iexplore.exe	IEXPLORE.EXE
PID 2920 wrote to memory of 2688	2920	iexplore.exe	IEXPLORE.EXE
PID 2920 wrote to memory of 2688	2920	iexplore.exe	IEXPLORE.EXE
PID 2888 wrote to memory of 2828	2888	fbkuecfutijw.exe	WMIC.exe
PID 2888 wrote to memory of 2828	2888	fbkuecfutijw.exe	WMIC.exe
PID 2888 wrote to memory of 2828	2888	fbkuecfutijw.exe	WMIC.exe
PID 2888 wrote to memory of 2828	2888	fbkuecfutijw.exe	WMIC.exe
PID 2888 wrote to memory of 2064	2888	fbkuecfutijw.exe	cmd.exe
PID 2888 wrote to memory of 2064	2888	fbkuecfutijw.exe	cmd.exe
PID 2888 wrote to memory of 2064	2888	fbkuecfutijw.exe	cmd.exe
PID 2888 wrote to memory of 2064	2888	fbkuecfutijw.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

fbkuecfutijw.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fbkuecfutijw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	fbkuecfutijw.exe

C:\Users\Admin\AppData\Local\Temp\VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\fbkuecfutijw.exe
    C:\Windows\fbkuecfutijw.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\fbkuecfutijw.exe
      C:\Windows\fbkuecfutijw.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2888
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2728
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2920 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2688
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\FBKUEC~1.EXE
        5⤵
        
        PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    - Deletes itself
    PID:2748

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ujerx.html

Filesize
9KB

MD5
a8abcbf1452dffb8d6fef7bffab2c4b3

SHA1
151c85f15ae2c1e8124831151034100319999d62

SHA256
9c149e8b479e99a8be9bd08e6da78e2a09ad009973d8a9edab13630063a50c61

SHA512
b073c74b82bf0810f221daad6b6c8213dcab4c21e3a73e53affc16d8b4e9e64143cf2d3e6c3f8ffd2b0a9c3cc4a7d8ee148ca9ec69d11d590f985478ee732297

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ujerx.png

Filesize
63KB

MD5
9c748dc8f448b28fecc1123a6b32fec5

SHA1
29a5a04f5aec8106f21259c7e7847e1c7c552349

SHA256
324f134a49a37ed6d2dc701d6c69420a878f07be7d74645138c5f1024fdd24fa

SHA512
e8973f9347a0035cf3c7d0c39d693b60238d98052c0b84449a4968bb9d1cedba54acd35d938b275955cb02afa5d5aa9316b2575dc716f28326b8eb0ce34c420c

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ujerx.txt

Filesize
1KB

MD5
be21b0983fd2805729707c551b9404fd

SHA1
8a0a4431e3eee4e81863e0e6fb0016ab8f6a2fbb

SHA256
0330f2dc94f8d52cc22a4a656e00f32eb37ef85f71286c8ef736668c73098434

SHA512
98a9458032502962d3884ebbac6124347cbda213e5bd6f79c746e921af774df20138fc3260fbc72849e77b39fd3508f57d958ed2d128ecda8fa41a3920363bb3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
8d1dbb2e1d7d07010d7122628178b8f3

SHA1
e3eb047c7150b65393611299ae836979f2b63240

SHA256
01cd8c739b1065e43f07aff48ecb4c35d7d98030eaa47a910e8a8b6037a3137d

SHA512
53171e81ef09f5172131a7d51f655288ca218e83d77fc72f3c60651d44744d809e20a5c2ea41bef758a41755b71f9e10d6b70acbcc380a7c9a9c814ca3c2ebb4

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
e7271363d98166842e943908e524f8de

SHA1
cb645e444248e3636be2cce66afc52df2227212d

SHA256
d53363d2684f863e6ac0ac3a20ffda41f60e27545cd2bac63ff815494bb27bd2

SHA512
8c4732da0c9fc57e4cad79bd0910c8a12f68f7029d5ff51f8e07c2efda6d99dec8fe52c4fd9ba3d382519a0a095071daaf8c18c34de027543fa7e3ee2414b3e4

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
0105a0271e31fe9abc2581ead0e03535

SHA1
38918e42490cd43729b8633689c22325e0fd1563

SHA256
067ae23e1ff4e71d9eb6f64183601816c47a3820a692b4ce88b7d01f8cd4ffda

SHA512
9bd11ee8611a141977679f03555c0cfe724fe80eed173d79dc1baabbcd5ad48f73704f32049651827c4733ec1eeb1133028bd90582005f86f5431b0a308ca203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
212f4204dbb1aea4f82b280ca1b5840d

SHA1
300ff57dbdf5ff1b2c803c4683f76822d143a892

SHA256
1653566069b394d7631faeb57aab65e912c1f88948092d2d1e3db201cd742230

SHA512
6cc87db2aa0444bf137cf5f5e126aa7e8411d178bbf724f862ecba786546f198ce84f2d19a619e181e967de94606fc36466a8d71e82b094c37567d7acfe8be16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
3bf5cd0bf795d36137c6e6af359189b3

SHA1
15d5ad089a6c801e10e2bcddbefcd5e53074be22

SHA256
203c2cedda26107d6f1c05e83c9be2f409b25444bfae5b5f7020c44c45b59fa8

SHA512
b31ad2d43c245c5c7ffbcbc7fc06f55a8bc3eb6518c16776c862a60154b8adaf7e3e4e7c4f7ec4cb1670ad3eba190192785c21e04712effbd109ba424583ce59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ed61eef8e39de8c1ee9a11620af6876f

SHA1
c863b5efa82dba8e38c1fc8c9bfae1d1b3049283

SHA256
03ea0aed8cb0336b791b33fa96ee991ecee80a261abb44f1991324654e963e3e

SHA512
4942cd5abc66546de0775f5851af593656561728dafbe5c5f02c70cf02b6ad583b3c1bbb085486b81ad1825915db1e6f778c7eed535eea9d693005f369a1850b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
fe8817880b2f56cae90f304fe49dfa92

SHA1
7fb35385d96011301c682b25047c1821db276150

SHA256
b9d6442fc44ec2c1dcc408ccc954d2cd82f58c0414e977508bd60bf8b8f16ebb

SHA512
bf81b657261fab2a68588738d96684a2b8591260079feed4665f339a5a71b43f063c29aa0d395c748e39eb539ff116ae657ce4322ad71d270f54a1f5f58bdb72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c8bee551d4444aa8cb4c10f72c446b8d

SHA1
6a5e73162fcaff8582b3ae8f01b9bd98a593d538

SHA256
dc5fa6ae85b7ed4e0b2eeb5d6abdd7b8a7dfee896c7e246c76897a26e850e9fd

SHA512
a1e50cff973ded3eaee795078a68995beec9fb6131bd3d6f4609333472eedc3b8eccede8c81fb7c7bfe24be56f27e6c7799db81ab85c9d59ff66c2f0b7dcf82e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
17d793ec7df377dff0c6d3a38a80d1bb

SHA1
5263c5c149973c6e0fabaf800a334b05732c3c27

SHA256
8cf7b93a5fa133fd6bf7cd61e4a2a5ab026b81d6d243b52cf510fb4f16be98cb

SHA512
9699554d5a567ecd9e917b45586328d462734dc827a27b7bf1e0272015d0c194be72b7979def44844e3bbfd2d138e4e1fe62c7d12c95041f0f24d7ec96319bdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e9e633dbcb71c269f18b4ae7c042edf1

SHA1
43255b01c56910fc3d06600d3e9b18f703e691e6

SHA256
e761ce190adc8857dc7c5f1ce268c669e0eaaf3c333ddfc2292bf420d7098ce1

SHA512
b2550b7263f2dc5e12d330701399fde8c427eabeb37e5af34a58926c41fc3c039ae35c4262a7f8ad1e6a6094492b4aebe2c3ba1a82e0b28c2935361272fc8fc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
eadd917efcf522fd1ffa89508df53449

SHA1
a1f7c301856f6d3061b1a0a1acad1a156c11032c

SHA256
6d74c3af6697eb90319340ca659391dd8c178f99a4e6e2091122b673348b256a

SHA512
7049058267a7d2c57d92b33503b9ff7f3e360537b334519533b0b4cb53f0456e3f4d1a2afa5694ad848f1d536a7e476face091e52d3bf988eca191d17dcf05a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
794bc4f6e128b6a1b10e18ca1eef972c

SHA1
2ec3498c8a7335111782171fdfa20891d3433840

SHA256
9e81b174e3bba8a55c33c781c42f1cada141cde83845857c720b4278147fcd1c

SHA512
6bb68cc5f47a31c5c148aae4a0dd65a897bd62910816abe6741c2576c35b7ce46723dcf67dda0f32f0905b6a6c09d14561b55dad9fad4b5e2f99fc8bbbd2ca12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
435eac012454098448f2012bdd2771c3

SHA1
c72373907ac674f83bb3ce31153eb6dbf75eea97

SHA256
1005bbf5ec3b63bc328caa9c7a6ad52fda314ba43ad56935b0e54ef678b7a820

SHA512
0c6928b000e26dbb2108c72a37393d332731fa47ae7e9a50977dce7b023c24d4a2b2a4b27c3484cd417bed90631c64cafe3198a56b392f2e5475f30b3ff07db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD41.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\fbkuecfutijw.exe

Filesize
388KB

MD5
27e887aa14f3890a72f06ec5d0759f20

SHA1
8bacf22533725fd98c254c8eb6852edbe225a0ef

SHA256
91a23ebd232c1d96458e3b0870ec5507e547e6763bf99c5c7ca69a89e2a51267

SHA512
56f420069c68e971069ef6d25a5944d50901d8c9de84f57a1bdb49371cfca117855afd4a6aecf1c6df96369ca3d19fe655c5a939a8b66d6fff6341de97259089

Download Submit
memory/1676-6096-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/2524-31-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/2700-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2700-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2700-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2700-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2700-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2700-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2700-30-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2700-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2700-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2700-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2700-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2888-6098-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2888-6013-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2888-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2888-6099-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2888-6113-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2888-6112-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2888-6089-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2888-6095-0x0000000002F00000-0x0000000002F02000-memory.dmp

Filesize
8KB

Download
memory/2888-2854-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2888-52-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2888-1523-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2888-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2888-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2976-18-0x00000000002E0000-0x00000000002E3000-memory.dmp

Filesize
12KB

Download
memory/2976-0-0x00000000002E0000-0x00000000002E3000-memory.dmp

Filesize
12KB

Download
memory/2976-1-0x00000000002E0000-0x00000000002E3000-memory.dmp

Filesize
12KB

Download