teslacrypt | 6f7c7b4f3bd9e6ce0dc0d4dd7662e35d8a2079dfe61b2febf2645b68fe11ee3f

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
Size

388KB
MD5

40707cdcd4220213b9ef2545043d6c99
SHA1

7f9d3ad1125de47368644e29b5d5cd515c6497e8
SHA256

6f7c7b4f3bd9e6ce0dc0d4dd7662e35d8a2079dfe61b2febf2645b68fe11ee3f
SHA512

0a3cda582f1a444ad78d5f09d4e204a753c74863bcbbbdf5c6ffcafa523b195ac4c6aa7922973cf2687b673e4e346f94b6525402db7380a4e53c3f8855480088
SSDEEP

6144:tYMk7V7PQkaYO0iNq/PimTBQNEETJYOo0DldfrvwmjcMVW5OouUI5KtrQ8POyU:tnSdO0iNEPn+TGOoYzwscMSOXUIJ

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+iqbsr.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9B913E7578B55386 2. http://kkd47eh4hdjshb5t.angortra.at/9B913E7578B55386 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/9B913E7578B55386 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/9B913E7578B55386 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9B913E7578B55386 http://kkd47eh4hdjshb5t.angortra.at/9B913E7578B55386 http://ytrest84y5i456hghadefdsd.pontogrot.com/9B913E7578B55386 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/9B913E7578B55386

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9B913E7578B55386

http://kkd47eh4hdjshb5t.angortra.at/9B913E7578B55386

http://ytrest84y5i456hghadefdsd.pontogrot.com/9B913E7578B55386

http://xlowfznrg4wf7dli.ONION/9B913E7578B55386

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (424) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2532	cmd.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+iqbsr.png	uxobpsjaqhdu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+iqbsr.txt	uxobpsjaqhdu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+iqbsr.html	uxobpsjaqhdu.exe

Executes dropped EXE 2 IoCs

pid	Process
2512	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\tohxafmrygep = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\uxobpsjaqhdu.exe\""	uxobpsjaqhdu.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2204 set thread context of 2576	2204	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	28
PID 2512 set thread context of 2464	2512	uxobpsjaqhdu.exe	34

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\Recovery+iqbsr.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\Recovery+iqbsr.txt	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\Recovery+iqbsr.txt	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\currency.js	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mousedown.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Recovery+iqbsr.txt	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\Recovery+iqbsr.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Microsoft Games\Recovery+iqbsr.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\Recovery+iqbsr.html	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\Recovery+iqbsr.txt	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\Recovery+iqbsr.html	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\Recovery+iqbsr.txt	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\Recovery+iqbsr.txt	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\Recovery+iqbsr.html	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\Recovery+iqbsr.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_Undocked.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\Recovery+iqbsr.html	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\Recovery+iqbsr.txt	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\Recovery+iqbsr.html	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\Recovery+iqbsr.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\slideShow.js	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\Recovery+iqbsr.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Recovery+iqbsr.html	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Recovery+iqbsr.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\currency.js	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\Recovery+iqbsr.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_pressed.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\Recovery+iqbsr.txt	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\Recovery+iqbsr.html	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\it-IT\Recovery+iqbsr.txt	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\Recovery+iqbsr.txt	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\settings.css	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\40.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\Recovery+iqbsr.html	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\Recovery+iqbsr.txt	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\Recovery+iqbsr.txt	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\init.js	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\Recovery+iqbsr.html	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\38.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_snow.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\de-DE\Recovery+iqbsr.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\Recovery+iqbsr.txt	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_disabled.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\Recovery+iqbsr.html	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\Recovery+iqbsr.html	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\Recovery+iqbsr.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous.png	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\calendar.js	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\fr-FR\Recovery+iqbsr.html	uxobpsjaqhdu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\Recovery+iqbsr.png	uxobpsjaqhdu.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\uxobpsjaqhdu.exe	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
File opened for modification	C:\Windows\uxobpsjaqhdu.exe	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000047e47041efd0e24fa7dfd8ab9e66e16100000000020000000000106600000001000020000000133f2050bc090007abc6e210d9b1c5c56b25dd0cefb5e734c76fe80e2feb7f1e000000000e800000000200002000000084da2f321523eddb5505858fba1ba0b613484d8a9001cfe311e4ad278a527025200000002dce26c112b99a615a583d2aadb918a072602132dd5e1e4518642a6df3df6e8740000000405024134988e53ef8366626fca6a0fbf2b6ee2260bd1abc9862aa250efa230ac0ca2a737efdefa2534912396b12533882873aa3c7605dc50574dc8b3172c0c0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6FA81771-271B-11EF-A4DC-6EC9990C2B7A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40862b4428bbda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000047e47041efd0e24fa7dfd8ab9e66e161000000000200000000001066000000010000200000007a1262dfb6fb751f8902a8fb251b819d0f9d97b61fc60a763fdc4c8aeffe7166000000000e80000000020000200000002535385c9602853f579906527509ba0d3c575bf8407bbcd0527a03f26f2f37f190000000704496348f7e15f3c13dad412a634decfeb1626f340f68921a5058d11a041596da0dbf87c1327eb36187ae4c9c7c95244fa1a339e6b627572b56609167f6b0b4633afba5ffd163f351efc6d218aa415d9ab6ac83fb2820494e50f5242adb6daec2ff32d6fc606dab105217f46b9a8fc715a9078935c1d74b623a44e811b6f135d024f8b228f96f047790767ed368e47f400000000dbbcaffafb127e12a05d0143796b923dfbedb823df46f22c71cab0d0a033a417f77a84b9da9e4575598fe8ed79a1cc49707a8f55f0430f53855232bc67df928	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	uxobpsjaqhdu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	uxobpsjaqhdu.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	uxobpsjaqhdu.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	uxobpsjaqhdu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	uxobpsjaqhdu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	uxobpsjaqhdu.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2612	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe
2464	uxobpsjaqhdu.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
Token: SeDebugPrivilege	2464	uxobpsjaqhdu.exe
Token: SeIncreaseQuotaPrivilege	2312	WMIC.exe
Token: SeSecurityPrivilege	2312	WMIC.exe
Token: SeTakeOwnershipPrivilege	2312	WMIC.exe
Token: SeLoadDriverPrivilege	2312	WMIC.exe
Token: SeSystemProfilePrivilege	2312	WMIC.exe
Token: SeSystemtimePrivilege	2312	WMIC.exe
Token: SeProfSingleProcessPrivilege	2312	WMIC.exe
Token: SeIncBasePriorityPrivilege	2312	WMIC.exe
Token: SeCreatePagefilePrivilege	2312	WMIC.exe
Token: SeBackupPrivilege	2312	WMIC.exe
Token: SeRestorePrivilege	2312	WMIC.exe
Token: SeShutdownPrivilege	2312	WMIC.exe
Token: SeDebugPrivilege	2312	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2312	WMIC.exe
Token: SeRemoteShutdownPrivilege	2312	WMIC.exe
Token: SeUndockPrivilege	2312	WMIC.exe
Token: SeManageVolumePrivilege	2312	WMIC.exe
Token: 33	2312	WMIC.exe
Token: 34	2312	WMIC.exe
Token: 35	2312	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2308	WMIC.exe
Token: SeSecurityPrivilege	2308	WMIC.exe
Token: SeTakeOwnershipPrivilege	2308	WMIC.exe
Token: SeLoadDriverPrivilege	2308	WMIC.exe
Token: SeSystemProfilePrivilege	2308	WMIC.exe
Token: SeSystemtimePrivilege	2308	WMIC.exe
Token: SeProfSingleProcessPrivilege	2308	WMIC.exe
Token: SeIncBasePriorityPrivilege	2308	WMIC.exe
Token: SeCreatePagefilePrivilege	2308	WMIC.exe
Token: SeBackupPrivilege	2308	WMIC.exe
Token: SeRestorePrivilege	2308	WMIC.exe
Token: SeShutdownPrivilege	2308	WMIC.exe
Token: SeDebugPrivilege	2308	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2308	WMIC.exe
Token: SeRemoteShutdownPrivilege	2308	WMIC.exe
Token: SeUndockPrivilege	2308	WMIC.exe
Token: SeManageVolumePrivilege	2308	WMIC.exe
Token: 33	2308	WMIC.exe
Token: 34	2308	WMIC.exe
Token: 35	2308	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2280	iexplore.exe
2444	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2280	iexplore.exe
2280	iexplore.exe
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2576	2204	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	28
PID 2204 wrote to memory of 2576	2204	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	28
PID 2204 wrote to memory of 2576	2204	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	28
PID 2204 wrote to memory of 2576	2204	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	28
PID 2204 wrote to memory of 2576	2204	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	28
PID 2204 wrote to memory of 2576	2204	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	28
PID 2204 wrote to memory of 2576	2204	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	28
PID 2204 wrote to memory of 2576	2204	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	28
PID 2204 wrote to memory of 2576	2204	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	28
PID 2204 wrote to memory of 2576	2204	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	28
PID 2204 wrote to memory of 2576	2204	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	28
PID 2576 wrote to memory of 2512	2576	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	29
PID 2576 wrote to memory of 2512	2576	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	29
PID 2576 wrote to memory of 2512	2576	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	29
PID 2576 wrote to memory of 2512	2576	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	29
PID 2576 wrote to memory of 2532	2576	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	30
PID 2576 wrote to memory of 2532	2576	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	30
PID 2576 wrote to memory of 2532	2576	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	30
PID 2576 wrote to memory of 2532	2576	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	30
PID 2512 wrote to memory of 2464	2512	uxobpsjaqhdu.exe	34
PID 2512 wrote to memory of 2464	2512	uxobpsjaqhdu.exe	34
PID 2512 wrote to memory of 2464	2512	uxobpsjaqhdu.exe	34
PID 2512 wrote to memory of 2464	2512	uxobpsjaqhdu.exe	34
PID 2512 wrote to memory of 2464	2512	uxobpsjaqhdu.exe	34
PID 2512 wrote to memory of 2464	2512	uxobpsjaqhdu.exe	34
PID 2512 wrote to memory of 2464	2512	uxobpsjaqhdu.exe	34
PID 2512 wrote to memory of 2464	2512	uxobpsjaqhdu.exe	34
PID 2512 wrote to memory of 2464	2512	uxobpsjaqhdu.exe	34
PID 2512 wrote to memory of 2464	2512	uxobpsjaqhdu.exe	34
PID 2512 wrote to memory of 2464	2512	uxobpsjaqhdu.exe	34
PID 2464 wrote to memory of 2312	2464	uxobpsjaqhdu.exe	35
PID 2464 wrote to memory of 2312	2464	uxobpsjaqhdu.exe	35
PID 2464 wrote to memory of 2312	2464	uxobpsjaqhdu.exe	35
PID 2464 wrote to memory of 2312	2464	uxobpsjaqhdu.exe	35
PID 2464 wrote to memory of 2612	2464	uxobpsjaqhdu.exe	41
PID 2464 wrote to memory of 2612	2464	uxobpsjaqhdu.exe	41
PID 2464 wrote to memory of 2612	2464	uxobpsjaqhdu.exe	41
PID 2464 wrote to memory of 2612	2464	uxobpsjaqhdu.exe	41
PID 2464 wrote to memory of 2280	2464	uxobpsjaqhdu.exe	42
PID 2464 wrote to memory of 2280	2464	uxobpsjaqhdu.exe	42
PID 2464 wrote to memory of 2280	2464	uxobpsjaqhdu.exe	42
PID 2464 wrote to memory of 2280	2464	uxobpsjaqhdu.exe	42
PID 2280 wrote to memory of 2544	2280	iexplore.exe	43
PID 2280 wrote to memory of 2544	2280	iexplore.exe	43
PID 2280 wrote to memory of 2544	2280	iexplore.exe	43
PID 2280 wrote to memory of 2544	2280	iexplore.exe	43
PID 2464 wrote to memory of 2308	2464	uxobpsjaqhdu.exe	45
PID 2464 wrote to memory of 2308	2464	uxobpsjaqhdu.exe	45
PID 2464 wrote to memory of 2308	2464	uxobpsjaqhdu.exe	45
PID 2464 wrote to memory of 2308	2464	uxobpsjaqhdu.exe	45
PID 2464 wrote to memory of 832	2464	uxobpsjaqhdu.exe	48
PID 2464 wrote to memory of 832	2464	uxobpsjaqhdu.exe	48
PID 2464 wrote to memory of 832	2464	uxobpsjaqhdu.exe	48
PID 2464 wrote to memory of 832	2464	uxobpsjaqhdu.exe	48

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uxobpsjaqhdu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	uxobpsjaqhdu.exe

C:\Users\Admin\AppData\Local\Temp\VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_40707cdcd4220213b9ef2545043d6c99.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_40707cdcd4220213b9ef2545043d6c99.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\uxobpsjaqhdu.exe
    C:\Windows\uxobpsjaqhdu.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\uxobpsjaqhdu.exe
      C:\Windows\uxobpsjaqhdu.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2464
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2612
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2280
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2280 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2544
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\UXOBPS~1.EXE
        5⤵
        
        PID:832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    - Deletes itself
    PID:2532

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+iqbsr.html

Filesize
9KB

MD5
4478b59ab7aa18d21f91ddac54a4daed

SHA1
4a4b63738b0bc210a25f40fad36f789610e39a7a

SHA256
96c9515ffaf4f57bd00f8f4fec8807b5309c8883d4b8ea66fc7c5db0c9c26ff8

SHA512
b22c032c3df34db9c5009322e5ac54abe6ab64f5b2a2f3d4f318a8cb942ed7504b8cf01f27a1b301e129841cfc1eb88197de1652f6cec9617cffaa6fa4eb75ae

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+iqbsr.png

Filesize
63KB

MD5
658314150e079e451a57e851af093e44

SHA1
0e8ff603d6fa690faac4a3f32140c011d49c0dc1

SHA256
91f5bb01b7a413c3f851d7c5f816d1e80f4198f372515f9c39621930202671d1

SHA512
b23ce432765a998d56c0c13250643ada0358892a09a454b84592fa0290b728ea2a42b0f92f4eb2db26d7c3e416abfe5c4fcc2a2d54e0bf6f607041e4730494c4

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+iqbsr.txt

Filesize
1KB

MD5
6e9b0a34164fa423cf0424b3b30c73d6

SHA1
7f2f87e01bf6ad925ccf6fca34b58c6d0d58091e

SHA256
4a00a3e06e1097b235b7b8ddeb0bed5059a4df24b6e96bf89d87012197473d65

SHA512
ff9468658619040bff5aa6bddc1ec9e2d57238c164d51e6f84a0ee20edc2fa0172eed44f48ea2f5ff729b342747e4976dab1c878684726f16628e2ad16c439fc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
7b8295923545c7be29e5abcdf24499dc

SHA1
97ecdbfe973e03865fd8712f3cbdf73f13ce55dc

SHA256
45e02892f014b204ddc75c21fa08fd56ccc6d57769f3db3b3d5161e119ba0782

SHA512
34a5d3718bd2793fc17ea556a51bb1b906e13cb18eea0685c8e52144cc4e1935c0fbbbed732d95a00bcd538ee9529c3914c774540714c8aa089be09d8bc2a54a

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
3b8cfa77f85ce21930b2353ccba1dc3c

SHA1
81396a9f5511072d563400de80b31c2a7aab92e0

SHA256
7e92c352615d0346ad0d199bcb4f264ebcc3e9abd4ac2cf050ebcfa5b6f1dac0

SHA512
78535a064dd87c04370c39183d1cc8fc8ec1ac0951ff7a6a2a9f51e5e3e5079a4052f3fab9cdd140acb9143ff9140010ee72c7f10ad1975781380141301fd873

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
1292adff9ae479209dd08bb9461eaeb0

SHA1
0cac1e5b7f07d2530fd9d86d79b5d25e0faa2348

SHA256
96cf0a29f6faf52414766ffd4886176564a9bf05741d70fc6e2ab2cd48f30348

SHA512
003ebd4d0094095172b74f645f519f84fc770cc4ffd06e52614b20dfa342b44a36bc23f78d231347f6627dbe97c33aad6b5109e3135d8a268f5a7ddba2a9e408

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ade670ab162d246762213009ec8e6da5

SHA1
ba1b5c3ffd9c67f2cec8da72a176005143301fcb

SHA256
294d7c6c48ae06deea4c83611236bd46f043b60661cbee3c8f37a0a962dc42fb

SHA512
2e2a8270c14beaca4ea327c7588a0754c1812de7f2017e47b43ccd2b52677c49a46ecb12a362d7bcbb83b0b1f3befc6f805fa769aeb7622496c53b66d2ef70bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab78a70b028c762448343b67c5ab69c9

SHA1
345187addc6f751c4597ea52b37bd7ddd2bf67a0

SHA256
af2a8af50bac276cdb5b50e0ec66b5c068c56baf665c3d337837cdbf6a40884e

SHA512
70e127925ecde8322a9cdaae03edad674c746077d5d1652e22b8b122ec6f83d6b6152a8e4480aef38e58b5fc4fa239564015358bd05c4b8ad1e14272294db81a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb9673e5432e0e1f130e048fc817cc56

SHA1
2a3ec188eabcc19379f60c503cf752ac6afbcf0e

SHA256
b431132d60d72fe09ac71087f8dabb743b25ee9dcddadc5dbd1b5bce53bc7b40

SHA512
4534031cdee11b850b2e66d9179f3608c58308655d9fb2c39f466a8b247277a554245326d9c31bad6059493db4f865017cae506a6c2c9baed4127dcec77aa06e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4012203d023a5f6a283aa35d793432b6

SHA1
2bd0e7c015304f7168cbe88a573bd1c1dff0a3df

SHA256
3b27082147f05426db4ffd5fbae15540147ba0f60583d210abf392112f827305

SHA512
7172fdf9d11923a2f2b63039fc6a7d0c25aa2b60c996fe9342d187b464af3e5d5ee11ed6a9c8506c0a2470691b9f9c79b7912699a1b21ff015b70fa69fe0b351

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
674503b89c904db4da8d96a390657a14

SHA1
867e6c12eae4d9bffd43e595661a22d4999e8bd6

SHA256
37be08807e761dcdeb3249f32bd0faffd3dddd3cc324c16d3f40038e4e4e1f24

SHA512
28d1e546144fe8e23dfb7af1633b5560d4df62db8d6bdc86b2b68b0dbe585e158f23192aaecaee55f3cba57ecaad1825bfc7fa4baae98d3c5a9e4aa4328e9280

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c587fd5bb140e7796c6a85837ebc5d49

SHA1
f917d0437532eee952bbf1a4a33aea9bc726ec99

SHA256
617af03fcaeefc459e356b7e10635b5b71d25291ad4a338e5f16af21e08e417e

SHA512
e3ebb10e0e6f09c59454211f6c187fcf7106cdeece8e7ae6160ed26f3c8eb32c2a814c4176ccb31209636cf396cf0b98163bd7af89a13ed07e07ca9d4cb4f121

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab373fd6416539c971625ad4f8d670b0

SHA1
a8dec1dccf71377a1b77783e889dc6525bc2bc00

SHA256
e6e9eb72ed0120862c2564863eb59a8230549dad19449d3c880b193226c4cd23

SHA512
5745c8353002308bd60ada84ed8b55fbcdff16a94dce60a08e8b2d6b497120e2be8c3f776e6ee8345d19db9ab54be8bf9631cf6544b31680e38fbcce683dda0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
974b9f97cbecc91c85720852cf50c8d0

SHA1
61dcf304625c2380b9c42e7a28f6747747050ddf

SHA256
ceab7e22a0b8529a710b3bc810e3dff264218f9e2c9cb2c0f84ce5d0d6389c25

SHA512
10e1dc231210b416cce7249e4444736570cabe33c5d6a37af10dbb68a521c3a8f12dbf8eaeab1e4d634ae7df2a4242fc10c3127f550c324cb63ea34aedeff6e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7695df4a8e963be981f4e1ac372647c

SHA1
e6418abc921211866edb0545befc1207bf2c054a

SHA256
81d3d51454f829770603aa9481bb7a9ff7e6940fe5d6e03fd33a7be602ea7c99

SHA512
42b9d44f73a83349902078b91a8874edf5456bb73d99936dc3a23d2b51d078662873a1dc92b12015b7fffe2389568d6d73bba080627503f2366046f0beceead5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02332a2a5a897e8302654469da45eb43

SHA1
5ff695f05f742c21e697e1a25c94a3bf5bfbee37

SHA256
e4f35bb310d2b4b5c0e7381b65b43351f17fd6b991d670045564f190e035dcfd

SHA512
60520f5faf9b2192c80bd0ff961e0e65e98766bd29771b08db2ba547a0a00d86473c8ad9e216569f7accacb8cced30184cde8e63b3c64d83b66068526729ccce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1646.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\uxobpsjaqhdu.exe

Filesize
388KB

MD5
40707cdcd4220213b9ef2545043d6c99

SHA1
7f9d3ad1125de47368644e29b5d5cd515c6497e8

SHA256
6f7c7b4f3bd9e6ce0dc0d4dd7662e35d8a2079dfe61b2febf2645b68fe11ee3f

SHA512
0a3cda582f1a444ad78d5f09d4e204a753c74863bcbbbdf5c6ffcafa523b195ac4c6aa7922973cf2687b673e4e346f94b6525402db7380a4e53c3f8855480088

Download Submit
memory/2204-18-0x0000000000280000-0x0000000000283000-memory.dmp

Filesize
12KB

Download
memory/2204-0-0x0000000000280000-0x0000000000283000-memory.dmp

Filesize
12KB

Download
memory/2204-1-0x0000000000280000-0x0000000000283000-memory.dmp

Filesize
12KB

Download
memory/2444-6086-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2464-6089-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2464-2534-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2464-56-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2464-52-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2464-1407-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2464-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2464-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2464-6115-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2464-5525-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2464-6079-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2464-6112-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2464-6085-0x0000000000630000-0x0000000000632000-memory.dmp

Filesize
8KB

Download
memory/2464-6088-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2464-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2512-28-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download
memory/2576-31-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2576-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2576-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2576-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2576-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2576-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2576-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2576-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2576-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2576-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2576-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download