e0aea54912d5f4e793d03303151a5d83b2d9c818b5ce8fa6ea3f609a3273114e

Analysis

max time kernel
123s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe
Size

222KB
MD5

41fb9932be35e9e5ea61d74f8517c748
SHA1

69330b95b02db41a23198f164af47a151556e863
SHA256

e0aea54912d5f4e793d03303151a5d83b2d9c818b5ce8fa6ea3f609a3273114e
SHA512

c46c433a4cd5bd52ccf23a0d9ff705d1a8eaa123adae5b71f6f9a18a13281850af954850a074c45157dad352b0cce27b3ef6ac905d603344d3e4d86cd0b3aebc
SSDEEP

6144:FiIqk2kmqtVqu1S0IaQsG8c6Ty9Av4DObk:FLqzkvBSJ+G8XySgaI

Score

10^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\-!RecOveR!-wchpo++.Txt

Ransom Note

(#?0$; >/##-=." *;,!2=:+1*$9*;/ ----- (#?0$; >/##-=." *;,!2=:+1*$9*;/ (#?0$; >/##-=." *;,!2=:+1*$9*;/ ------- (#?0$; >/##-=." *;,!2=:+1*$9*;/ NOT YOUR LANGUAGE? USE https://translate.google.com What's the matter with your files? Your data was secured using a strong encryption with RSA4096. Use the link down below to find additional information on the encryption keys using RSA-4096 https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? (#?0$; >/##-=." *;,!2=:+1*$9*;/ ------- (#?0$; >/##-=." *;,!2=:+1*$9*;/ It means that on a structural level your files have been transformed . You won't be able to use , read , see or work with them anymore . In other words they are useless , however , there is a possibility to restore them with our help . What exactly happened to your files ??? *** Two personal RSA-4096 keys were generated for your PC/Laptop; one key is public, another key is private. *** All your data and files were encrypted by the means of the public key , which you received over the web . *** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. (#?0$; >/##-=." *;,!2=:+1*$9*;/ ----- (#?0$; >/##-=." *;,!2=:+1*$9*;/ What should you do next ? There are several options for you to consider : *** You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or *** You can start getting BitCoins right now and get access to your data quite fast . In case you have valuable files , we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions , please access your personal homepage by choosing one of the few addresses down below : http://74bfc.flubspiel.com/A68E5BBC75E03753 http://ibf4d.ukegaub.at/A68E5BBC75E03753 http://k3cxd.pileanoted.com/A68E5BBC75E03753 If you can't access your personal homepage or the addresses are not working, complete the following steps: *** Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en *** Install TOR Browser, run TOR Browser *** Insert link in the address bar: xzjvzkgjxebzreap.onion/A68E5BBC75E03753 (#?0$; >/##-=." *;,!2=:+1*$9*;/ (#?0$; >/##-=." *;,!2=:+1*$9*;/ (#?0$; >/##-=." *;,!2=:+1*$9*;/ ***************IMPORTANT*****************INFORMATION******************** Your personal homepages http://74bfc.flubspiel.com/A68E5BBC75E03753 http://ibf4d.ukegaub.at/A68E5BBC75E03753 http://k3cxd.pileanoted.com/A68E5BBC75E03753 Your personal homepage Tor-Browser xzjvzkgjxebzreap.onion/A68E5BBC75E03753 Your personal ID A68E5BBC75E03753 (#?0$; >/##-=." *;,!2=:+1*$9*;/ (#?0$; >/##-=." *;,!2=:+1*$9*;/ (#?0$; >/##-=." *;,!2=:+1*$9*;/

URLs

http://74bfc.flubspiel.com/A68E5BBC75E03753

http://ibf4d.ukegaub.at/A68E5BBC75E03753

http://k3cxd.pileanoted.com/A68E5BBC75E03753

http://xzjvzkgjxebzreap.onion/A68E5BBC75E03753

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Deletes itself 1 IoCs

pid	Process
2884	cmd.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\-!RecOveR!-wchpo++.Txt	ojtsayxhjuuf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\-!RecOveR!-wchpo++.Htm	ojtsayxhjuuf.exe

Executes dropped EXE 1 IoCs

pid	Process
2204	ojtsayxhjuuf.exe

Loads dropped DLL 2 IoCs

pid	Process
1412	VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe
1412	VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\bssimgddbayd = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START \"\" \"C:\\Users\\Admin\\Documents\\ojtsayxhjuuf.exe\""	ojtsayxhjuuf.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\RSSFeeds.js	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\-!RecOveR!-wchpo++.Txt	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent_partly-cloudy.png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\-!RecOveR!-wchpo++.Htm	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\-!RecOveR!-wchpo++.Htm	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\-!RecOveR!-wchpo++.Htm	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_over.png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\-!RecOveR!-wchpo++.Txt	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\-!RecOveR!-wchpo++.Txt	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\-!RecOveR!-wchpo++.Txt	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\-!RecOveR!-wchpo++.Txt	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\ChessMCE.png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\-!RecOveR!-wchpo++.Txt	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\de-DE\-!RecOveR!-wchpo++.Htm	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\-!RecOveR!-wchpo++.Txt	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Windows Sidebar\it-IT\-!RecOveR!-wchpo++.Htm	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\-!RecOveR!-wchpo++.Txt	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Java\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\-!RecOveR!-wchpo++.Txt	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\-!RecOveR!-wchpo++.Htm	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Google\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\-!RecOveR!-wchpo++.Htm	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\-!RecOveR!-wchpo++.Htm	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\-!RecOveR!-wchpo++.Htm	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\-!RecOveR!-wchpo++.Htm	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\-!RecOveR!-wchpo++.Htm	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\-!RecOveR!-wchpo++.Htm	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\-!RecOveR!-wchpo++.Htm	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\-!RecOveR!-wchpo++.Txt	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\de-DE\-!RecOveR!-wchpo++.Htm	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_h.png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\-!RecOveR!-wchpo++.Png	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\-!RecOveR!-wchpo++.Txt	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\-!RecOveR!-wchpo++.Htm	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\-!RecOveR!-wchpo++.Txt	ojtsayxhjuuf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\-!RecOveR!-wchpo++.Htm	ojtsayxhjuuf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2176	vssadmin.exe
2896	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80cbda8728bbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e93d4698b3d3544bbddf8a3e9cadba36000000000200000000001066000000010000200000002fb613385e65635256963adeb409298d0cff8274d95dbfcba2164cdc36600cdb000000000e80000000020000200000007bad2943d4df065707f07a59264340930f53b60001ab3ee6756c195c88b171c220000000c25f0f3fb058e2a0b046e8ee33988a07f1a18a19324af4da0a99f531a1e4bd00400000002fc715f4b1d84e1bbb61bc3a4bd9ba2fb9ffe3e488e207fd14e032c8f729de40f2230e5aba27507056e6ab6985fafff58d03047004469262b714d1718d67983f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e93d4698b3d3544bbddf8a3e9cadba3600000000020000000000106600000001000020000000e03601660e68377ad80186eb32775eaad7e8e9eba9143861f3e1403cb08cf29e000000000e80000000020000200000001a81b079ccb4d11acad7b4326b3cfd6ad6e2466a8be2d72fae5d10ee89a705c89000000024ccaabafd79ffc373d9672852b98c4c417d58d18d04f07a76ebb5e597edc1cb6c241a331eeb72e361b9803031b1542777d32e4b258a406b3d9638d62db07e797a9633a5c059acbdb8cab8cd7a3770fd48e67913d2fcaf309aa40b67f28a270ce778036ca5a20fe93054e542e00b47e70191840ec99c73d55da59ebec21c9311995a3ee00b6592fe3859d01a48bd538240000000354f3654c249ab05a1a719be69a0fc0d1ec6e661927ca57e7ac9111c398cee15ce1fb0c3cea7e47d62f5e7c68f869b1102b9657c987774b2267eea8faf84f884	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B2BC9B81-271B-11EF-A6D5-5A791E92BC44} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe
2204	ojtsayxhjuuf.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	ojtsayxhjuuf.exe
Token: SeBackupPrivilege	2524	vssvc.exe
Token: SeRestorePrivilege	2524	vssvc.exe
Token: SeAuditPrivilege	2524	vssvc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1632	iexplore.exe
1608	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1632	iexplore.exe
1632	iexplore.exe
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 2204	1412	VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe	28
PID 1412 wrote to memory of 2204	1412	VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe	28
PID 1412 wrote to memory of 2204	1412	VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe	28
PID 1412 wrote to memory of 2204	1412	VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe	28
PID 1412 wrote to memory of 2884	1412	VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe	29
PID 1412 wrote to memory of 2884	1412	VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe	29
PID 1412 wrote to memory of 2884	1412	VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe	29
PID 1412 wrote to memory of 2884	1412	VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe	29
PID 2204 wrote to memory of 2896	2204	ojtsayxhjuuf.exe	31
PID 2204 wrote to memory of 2896	2204	ojtsayxhjuuf.exe	31
PID 2204 wrote to memory of 2896	2204	ojtsayxhjuuf.exe	31
PID 2204 wrote to memory of 2896	2204	ojtsayxhjuuf.exe	31
PID 2204 wrote to memory of 2084	2204	ojtsayxhjuuf.exe	41
PID 2204 wrote to memory of 2084	2204	ojtsayxhjuuf.exe	41
PID 2204 wrote to memory of 2084	2204	ojtsayxhjuuf.exe	41
PID 2204 wrote to memory of 2084	2204	ojtsayxhjuuf.exe	41
PID 2204 wrote to memory of 1632	2204	ojtsayxhjuuf.exe	42
PID 2204 wrote to memory of 1632	2204	ojtsayxhjuuf.exe	42
PID 2204 wrote to memory of 1632	2204	ojtsayxhjuuf.exe	42
PID 2204 wrote to memory of 1632	2204	ojtsayxhjuuf.exe	42
PID 2204 wrote to memory of 2176	2204	ojtsayxhjuuf.exe	43
PID 2204 wrote to memory of 2176	2204	ojtsayxhjuuf.exe	43
PID 2204 wrote to memory of 2176	2204	ojtsayxhjuuf.exe	43
PID 2204 wrote to memory of 2176	2204	ojtsayxhjuuf.exe	43
PID 1632 wrote to memory of 1740	1632	iexplore.exe	45
PID 1632 wrote to memory of 1740	1632	iexplore.exe	45
PID 1632 wrote to memory of 1740	1632	iexplore.exe	45
PID 1632 wrote to memory of 1740	1632	iexplore.exe	45
PID 2204 wrote to memory of 2392	2204	ojtsayxhjuuf.exe	47
PID 2204 wrote to memory of 2392	2204	ojtsayxhjuuf.exe	47
PID 2204 wrote to memory of 2392	2204	ojtsayxhjuuf.exe	47
PID 2204 wrote to memory of 2392	2204	ojtsayxhjuuf.exe	47

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ojtsayxhjuuf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ojtsayxhjuuf.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\Documents\ojtsayxhjuuf.exe
  C:\Users\Admin\Documents\ojtsayxhjuuf.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2204
- - C:\Windows\System32\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" Delete Shadows /For=C: /quiet
    3⤵
    - Interacts with shadow copies
    PID:2896
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\-!RecOveR!-wchpo++.Txt
    3⤵
    PID:2084
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\-!RecOveR!-wchpo++.Htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1632 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1740
- - C:\Windows\System32\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" Delete Shadows /For=C: /quiet
    3⤵
    - Interacts with shadow copies
    PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\DOCUME~1\OJTSAY~1.EXE >> NUL
    3⤵
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:2884

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\-!RecOveR!-wchpo++.Htm

Filesize
11KB

MD5
dd1adc5fb7c796882ff72f24bfd363c8

SHA1
bc2e1587f0034fa5d55706ce80f5d4d657b68461

SHA256
3819b2340df553df608d6f0795d427f49324030d9ce3306e49aeafd6382f185a

SHA512
80aadda60537384c48f8ed5ec791b6cab980ac7a29f6e561d39b30e9ab30a84cc2c8a81ed2159e3d49721e9889cb372ae01aee334d5e51bcb7aa7d9ab4db83b2

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\-!RecOveR!-wchpo++.Png

Filesize
84KB

MD5
da68c38142fc95a708906f85aaa4b88d

SHA1
520b19f4e7a8ad3b18f2fa98d460e368db043e41

SHA256
f3d293053e6574ba856cfd6c653cf1a3588932cc0fb71a5eb872f551c2b57d50

SHA512
843c1355b7b1ddee89dfc04e3025208da5ffbcbc71934c80438ac7999cffafe9fcca470638fae4429eec55063584748930ad5fbabcf8d5f45d6549db0b55d23d

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\-!RecOveR!-wchpo++.Txt

Filesize
2KB

MD5
9a67a1d9ead17b78f544f68ae7a9c229

SHA1
36d00bbd38007222534cd90832109b04ee33e3b6

SHA256
f4934e145aa37434da058ad6b9c9ca2370cb39d9326cd15aac9eb9a148b138fd

SHA512
0954cc1004cd9d1050b68ff0e15eea6b48b38e78a1d60fddb219986794eadfce8e7621cf97bf3a586ec0e53dbaac7f5b5a35c514cdb29dc972b6f984e9f620e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe29e0410d73ebfe532519d3171faa1b

SHA1
31dac12b0817bc5c6667e596f55280b8e87f264c

SHA256
125e32bd1d7aea75a08bdc8bf0aec1382394ba02c6851541cbf46d0ab863c19b

SHA512
26b5d2044e169f6d09436adba6fe56b74781faec485cd1e70eb921dae82fe978b94082ba8d063c545ff141bf04fc58b15b249ed18ff247aa295631bf830018fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5497cc24d2552dbac639a155b45888a

SHA1
efd8c5a68f1d6107d4e40081ce38e555e7fd3764

SHA256
cb97b0e51d3b0bbc5c9ba0815b10f59597cf090952ec34e65f65681b16bfb015

SHA512
4b3fcae646e179e8e0f6432dc6fac68984e1c155586449f3bacc23729b37efe33cbc7005b4aa2f5fb94c39b9d5841a045597d6e9f0ffce0746e4e15b16930c94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a6cedbccb6fc639af1be590457dbfd3

SHA1
0746eadff54c0bef5dc0df24fb5ec1a70405df78

SHA256
d6be7cacecdb4369b9e15af40c9c8941584e3583a4bb34a2b46b826a396ba793

SHA512
f37b30ee82a6614083ecc752ecf1e4106313a0298bbefa43b92a7a1b09d05b1da8444ba56d891bd703883b9aac2d648cc8847db9e476ecba35619fbeecc2b1cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ebe141e5f3ce715baabdd09199be0b7

SHA1
a3b5266921514dcaf2c6316f30a4e718bb8af613

SHA256
e6a7abe046b5e127cf0dfaee4ebd7c8257d4ba58ccf4bd1c030995d2e9d24c97

SHA512
e527e4e3cfef41593215fe3d3cab849366eef38998c8b52633dad8231ac2db1b8cbc4feb3e1a797d7868ef79b1dc1b50ae5bb12f01c4902f5195027b8a7ebdbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5835d9bddaf0e8bdbebf26a4457c10ff

SHA1
9cedbc613bf913177201c214b806ef5a4697e825

SHA256
89dcbfebe3dab046aa5f17ee877a18120b67860ca7ec339b284b047aed76830c

SHA512
d16957ab64e46c51361c20010711a7ebd61a13409198049358f247f6b14f1bedf5018996ba9334dcb03cbced29fa71f7a6aff2ec9a90b2fa0e0614ea819ee6dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
956959f8f1d4820da51126af42f83916

SHA1
bb3f1125805083cfa66e3d516ceb3a8bd6ed7bd6

SHA256
9fbf9f794aca6293278a58366a49382918c33f87ebb58d4affa84ab52dd505f9

SHA512
7d07f5ec83bfded0645fb2f9709b6bb74d0b18e7f0c245f2cfb2244ea1b0477d3a6de703fbe2f0631ca2f0e4c3cde86590e12b130d9fc1d757a7821ec9cb8d31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b6dece270b3d924b3bed458d4744495

SHA1
98d2ec901bb775ddec35e07a2f0a7ecb70a92d60

SHA256
76e10af21330fb7717a1f17ac9503bad8bfac59ae4e1187646b6b6cb8d68d6fb

SHA512
dc746107f293d63356b5b3005dc80ed03b8a10321fe67316d46f59f92012dacf56c53f96ceec2075b54808f6a053ff255036bf19bd12b12314b3fd0348e5b64b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c8ad89d9528a255b3fd7170cbd93932

SHA1
364a0f133dc944bfc790b11e4cc563ccbadee85f

SHA256
e1a6c184a1669d4165de939d6b2b477d59a8c010942cb5c20a5b6ef2a7d46505

SHA512
29b4b14a3cb35a3a9b71915e3106e39eabeea028a99156a0db712f29ddcf40f81bd6220898b44775e2ed9a7281fef7c1c21826eeb045036be0d613935d719d54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04f437afbbfcdbc7f1482939756ce96e

SHA1
7b9fa30300c2837b7e2b00299d3bfc784a018a31

SHA256
ba859acda85cdb515d33916aea042aae8281dbf42b4655e9904a37ddf4818b4b

SHA512
0756ba4e53cba1a4272766a8c5dc07eaa64e3257067aec098fa53028918f3a48ee2fbb7d400d546352d7eafcad026bfcb89136a3c0355099e2a9f3452e52aaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2905.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2DAF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\Documents\ojtsayxhjuuf.exe

Filesize
222KB

MD5
41fb9932be35e9e5ea61d74f8517c748

SHA1
69330b95b02db41a23198f164af47a151556e863

SHA256
e0aea54912d5f4e793d03303151a5d83b2d9c818b5ce8fa6ea3f609a3273114e

SHA512
c46c433a4cd5bd52ccf23a0d9ff705d1a8eaa123adae5b71f6f9a18a13281850af954850a074c45157dad352b0cce27b3ef6ac905d603344d3e4d86cd0b3aebc

Download Submit
memory/1412-14-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1412-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1412-2-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1608-5390-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2204-494-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2204-5398-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2204-5397-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2204-5389-0x00000000028E0000-0x00000000028E2000-memory.dmp

Filesize
8KB

Download
memory/2204-4964-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2204-4434-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2204-3769-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2204-3150-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2204-2194-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2204-1389-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2204-646-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download