fantom | hxxps://github[.]com/enginestein/Virus-Collection/blob/main/Windows/Binaries/Ransomware/Krotten[.]exe

Analysis

max time kernel
223s
max time network
225s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/enginestein/Virus-Collection/blob/main/Windows/Binaries/Ransomware/Krotten.exe

Score

10^/10

fantom gandcrab backdoor evasion persistence ransomware

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3665033694-1447845302-680750983-1000\JDBZRIXWF-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .JDBZRIXWF The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/9afdf213bd7f960e | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAPCCr7Yvx4bonJLWhj5op9a+RswEv1/9OQvv+wcWgJ9f2LtQVLB+D3UbRW9UYNOV0KNFcHSzVVW3b8LRRgVtOGKoobu/UxlyEbRjY6horbs86emEID271XwksH+hvctICimye7Bmp075suDQSPZr4ij1r5O63OylB+ciMVDPV/wlUYX18xUfnNEkN49xz7a6gFHUH2NOOoxbprXQdUTHi2nai1sRqdTQHYgR39wiySDCyqDpf8V8ILqQdEetrjFZ1emJB4iu83QbRvE1JbdCk/mlIJZWpyHKNSRX6mTOjI+ge968YHZpx8fxC49Me1KYByF4NrNEIFFtFy3hUWZgc7pB5SeFmyTiIsQxaaoojXSib9S8HEJDyBBZy+nvb3T25zkBE9eYTckosl7+0RMQl8iHgGzV5iu3QFBC+7z+dJha4N2cwnVEpkJ1cOc8g6JeB9j/rhZcVRARWgggKh2ov+drKy2Df6GAw/x0dOjfjmu7SVDLTZNyet5eN4+lZvU35hjrvvgs/QxMzuAFdWwRo8n/WT9Y4Xsj8bidnMLrox63FlxKlEqAUG34IRBKqgWvcIk9LF5WYacq4UuKbxhLWkI558fzKVDzhezBrVL6Hjw2m8D/GfA7Nj+PMZvBEr03AsC3AvXvg1KOykdlTePiGv4nQJ2t5Xgz5CIKA9Xc09BHco9CSVqvXD6nWZQlbXlcuxsE8M3Bj/lz/Pgt/Q6fIUyvyvCjBokZp9C5FvMdb8ioXJGDxOa2OSB9xsqPSomx28q9J2lY3zMwu7JYdwoOVfoxELT3RXFXAJdJFXR5BwmxRk85UQxCLGgSx8faO8kiPEH7ntr50nQIJnJKyp8taaamhurGm4tppdjy6RCQN+7r2yyjwG71Y4Im30PXz85TawEN6utcioCw6EpDzMObOJ0F3IG1/A4NJxGzG4ftph4G+9xNdPQjY7Aaoa8pOBODRHRsTw+fCYwFpZFfh6Vv9abqSehST3qiGd2r9gI8sVXFsBnqM0Tbr89o6w+Rw7lompd8K9C2scgEYkjlWxKNVV1ZHhqPWz6kRm0woGEYi9DgBTOOSzI21TIe6KXrUfSt9A6P06IZ/g5Rkz9a7wbDad0n7vhctQywaga+DWuvXSZ0rBtd5AO6Dorn1f0w2D+KbR4Mr9gwsr2qKxCMQcNd7+nShcsaJoU+ZamGCqZpT5mqnXIs/e1dXGUiApH5K5NWovzMeLTAc87YZ18p2rkVKq+8Uxvph1Ycwzcxkga8/uZM6M2sj9xdQZLy97082ZmohbC/vZpkxCE4EvFFPBTlTYBLmBGci3jCgHX3vSvVBZE9Lw0ETVC+X9JD+39M1Jv4ZxXtU9yZw4TajJAGLKnQLLfZBeo1uPLWaX2AR8kqf5qUEfbHVx3Sni2/wVWSaKlPTR0mpjJMl21B1k+DVLxzLuUQJaIe1W8EBUmKQQB5xVS1oj7V5vZ4kq6QLLBKrcXyGOjh5Pm1ksefn3KHZoOmZsydMvyLkJgjxhLq6566rNFkdLYpwHeTp/Bk2nxSoOu1wPYW/r9WAVA8UyVtWPdj+90jJQtQhAfTOblGrDJpt1wpILJAmFPI4dL9k1kWU2BmULM7KW9qlYmJIMQYcwKQmcYh/7eq4ZxSZrcZsMbIcq2hgvLDZPSMT+7xVDTk+W07inkgVHGNsvxF4ZekXerQtjwmx/p0NtNYYgw44cEY6ZJUYxdsBf33aQw8bHtVCQhA2jvkOlh0PpI/BZUTsuvkC2J5P+widjdmLNpV2YIXbecfJR0gQFK9s3oXW1UIgeAhL/g13nRs62e4k5ctnXvl1R86DDObyetUJgOf3PZbNY3YmcynKzYHs7xWXoRGx3jPPdanJ5S0IXzs9mQOtD3c1VfrLsIcvdNPuaoIhVKf/KsOomBTfZJix5zQzGL7sfA1wojzm8HpWX+1Ps831bxHtrWO1ux4ExC47gDPr0QkoOVJudKHxpdqcdeRKWNk6MTgX85uwXsCpRXlO81s6WoMqM2G4MMfrEB/vjKMee+5Bwg4/qUTd5o7Hp3wq49/zFARDa78xilMiXbo394OoC1ayKEpeagrf3jB0eaPN77nVNE9HARTh9bwOT94q7fL0brqRdx7bsj2lHszrKE1WGACthletLaF5qgYU+vttNtYF+5BpuUVEKAiHQLkLfLsaBK/+qcGFLPc31/fGE5uznhVnRH/OxlUS2NzVRgT0Ks4wbON+2fAB3C95sDOX3MNBSCPEceZLiY= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDu9MTJNJDJAvCVteDQRX7IKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJdNBcBnJq+sZoR+K3MLHPmYaR2EeHP4/y9fNjLLTjDKP0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtoypS8G1fOlWzmZ7q54AOw4gTmwK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM4ANvhxNQXIE31UkGbyf6MN51c1gY/++QRe2kEznTbCqfrOdcnPBOVfcolLq8b/gmccCeV7bCGEZisVbSQnNiaPkJ9b5I041HXc2vSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/9afdf213bd7f960e

Extracted

Path

C:\g6QpgrhJDdQZeF0\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>SS8r4DOEUaY9nXSXjtM5v8WihRQzm5RgFZVZbw+BS1W1WLNTRZAa3aTWocYhVUy0436b0HUN+Dj8BjGgAkJExFAP68M98EAItMZI3HPA1frZvNWXAmKBImX96RZ2P0FLgp4y9K8j6vNkYMHm/Jb3w8YWdG0RP1cepCw9MYH4EQZUYhrstoCplHE0QOedZ1i95htuUJapRTEagPAZhr5eHW1VIok+BZKv2+HoGWr+n7Z9jIYcmDl4p/ERS99nQweX0AnCtIBAy9iWNGyaDGa6fMylM0SfC4TjifhMLljJHlALgUyDmOXC9KLWIY2fUI4Qy6p3ju0RZlbjRcOZUdwnpQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\g6QpgrhJDdQZeF0\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>LAMOIlRaQqhmK9bluELGLRGB2qa2os1HdTldT74JMAn4LG/b++HLYimRQngxgFQo6d/y7RcAazwcmBk1jjvOpRAGVxp0ooOmxtmPTJ4yJOgzES9ORxhUNzX1hrasYoTWNBXl0zq358dj+d8KB2KdzjoazEykNLqK9IMKI2qwXHgju79UZ/MmJNt96wjeKej9PyGfo23er002jQSfJhFMcufCES12dppWJGmwwZ/LRp/Dx3MUae5h1LPoyxzADp7jpRrHenvHfqzrbf50j3yEyUiE0iu+BwSuBtb4RrVHLvmRtJL1qDML5fen8rGTwCp3yFPIFDdO6EsC1mgOpwTESg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\g6QpgrhJDdQZeF0\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>ljgXhBW1Yqb3INJJ9OMM1my9jOWXKJIfPPaSiG6UbGamqyPlSjb1f3xuDxh2XnPeDzFmrh+/Q95VOpx7ise+vpJpBOmNkSfsNuD7E013kKV8lkqhHiDDnLUazNjSbI11Y9uRTcCBmJgrFukphpX3ZQ7GmbKa5QHDG9ONgcsHVTQ+mJyfagpC7uxW0nVk538CKtcKctQKd5cS8CqDH4PG0T6zis/26TweTimDvRgu27PhsWxX+RwHo11MUodYkdWErgWm1YnCF8Hmac5t/NWcP1ZBQg0DrrtvpCLBRB5FpDwijfTcmsQ7stWpWxclxj5tjfChY9G1cfYpLG6xJilPNg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Renames multiple (1008) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Renames multiple (289) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe

Disables Task Manager via registry modification
evasion

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\JDBZRIXWF-MANUAL.txt	GandCrab.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\bd7f91e3bd7f960e41b.lock	GandCrab.exe

Executes dropped EXE 1 IoCs

pid	Process
2076	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	Krotten.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	GandCrab.exe
File opened (read-only)	\??\O:	GandCrab.exe
File opened (read-only)	\??\U:	GandCrab.exe
File opened (read-only)	\??\Y:	GandCrab.exe
File opened (read-only)	\??\J:	GandCrab.exe
File opened (read-only)	\??\M:	GandCrab.exe
File opened (read-only)	\??\V:	GandCrab.exe
File opened (read-only)	\??\Y:	GandCrab.exe
File opened (read-only)	\??\Z:	GandCrab.exe
File opened (read-only)	\??\E:	GandCrab.exe
File opened (read-only)	\??\L:	GandCrab.exe
File opened (read-only)	\??\R:	GandCrab.exe
File opened (read-only)	\??\E:	GandCrab.exe
File opened (read-only)	\??\I:	GandCrab.exe
File opened (read-only)	\??\R:	GandCrab.exe
File opened (read-only)	\??\K:	GandCrab.exe
File opened (read-only)	\??\T:	GandCrab.exe
File opened (read-only)	\??\G:	GandCrab.exe
File opened (read-only)	\??\T:	GandCrab.exe
File opened (read-only)	\??\B:	GandCrab.exe
File opened (read-only)	\??\O:	GandCrab.exe
File opened (read-only)	\??\P:	GandCrab.exe
File opened (read-only)	\??\H:	GandCrab.exe
File opened (read-only)	\??\S:	GandCrab.exe
File opened (read-only)	\??\W:	GandCrab.exe
File opened (read-only)	\??\X:	GandCrab.exe
File opened (read-only)	\??\A:	GandCrab.exe
File opened (read-only)	\??\A:	GandCrab.exe
File opened (read-only)	\??\G:	GandCrab.exe
File opened (read-only)	\??\H:	GandCrab.exe
File opened (read-only)	\??\I:	GandCrab.exe
File opened (read-only)	\??\Q:	GandCrab.exe
File opened (read-only)	\??\W:	GandCrab.exe
File opened (read-only)	\??\X:	GandCrab.exe
File opened (read-only)	\??\K:	GandCrab.exe
File opened (read-only)	\??\L:	GandCrab.exe
File opened (read-only)	\??\M:	GandCrab.exe
File opened (read-only)	\??\N:	GandCrab.exe
File opened (read-only)	\??\P:	GandCrab.exe
File opened (read-only)	\??\Q:	GandCrab.exe
File opened (read-only)	\??\V:	GandCrab.exe
File opened (read-only)	\??\S:	GandCrab.exe
File opened (read-only)	\??\U:	GandCrab.exe
File opened (read-only)	\??\Z:	GandCrab.exe
File opened (read-only)	\??\B:	GandCrab.exe
File opened (read-only)	\??\J:	GandCrab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
118	raw.githubusercontent.com
119	raw.githubusercontent.com
120	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp"	GandCrab.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireWideTile.scale-200.jpg	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-20_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\SuggestionsService\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bn-BD\View3d\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSplashScreen.scale-100.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\WinMetadata\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\agavedefaulticon96x96.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-100_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-black_scale-100.png	Fantom.exe
File opened for modification	C:\Program Files\ReceiveDismount.fon	GandCrab.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_Success.jpg	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalMedTile.scale-125_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteLargeTile.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Moustache.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-150_contrast-black.png	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\24.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\75.jpg	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-32_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-24_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\View3d\3DViewerProductDescription-universal.xml	Fantom.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\jfxswt.jar	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_MouseEar.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\75.jpg	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSmallTile.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailLargeTile.scale-150.png	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailWideTile.scale-150.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-96_altform-lightunplated.png	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\pl.pak	Fantom.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\195.png	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-100.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-64_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Logo.scale-100_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch.scale-150.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-TW\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare310x310Logo.scale-200_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\management\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSplash.scale-200.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-100.png	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-96.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-48.png	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\eml.scale-16.png	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarLogoExtensions.scale-32.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.scale-200.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxManifest.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\HoloTileAssets\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-48.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreBadgeLogo.scale-200.png	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Web	Krotten.exe
File opened for modification	C:\WINDOWS\Web	Krotten.exe
File opened for modification	C:\WINDOWS\Web	Krotten.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6060	5468	WerFault.exe	135

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GandCrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GandCrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GandCrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GandCrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GandCrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GandCrab.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5792	timeout.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main	Krotten.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND	Krotten.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5468	GandCrab.exe
5468	GandCrab.exe
5468	GandCrab.exe
5468	GandCrab.exe
5696	GandCrab.exe
5696	GandCrab.exe
5088	Fantom.exe
5088	Fantom.exe
4620	Fantom.exe
4620	Fantom.exe
1136	Fantom.exe
1136	Fantom.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2736	Krotten.exe
Token: SeSystemtimePrivilege	2736	Krotten.exe
Token: SeSystemtimePrivilege	2736	Krotten.exe
Token: SeSystemtimePrivilege	4512	Krotten.exe
Token: SeSystemtimePrivilege	4512	Krotten.exe
Token: SeSystemtimePrivilege	4512	Krotten.exe
Token: SeDebugPrivilege	5088	Fantom.exe
Token: SeDebugPrivilege	4620	Fantom.exe
Token: SeDebugPrivilege	1136	Fantom.exe
Token: SeSystemtimePrivilege	5220	Krotten.exe
Token: SeSystemtimePrivilege	5220	Krotten.exe
Token: SeSystemtimePrivilege	5220	Krotten.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5696 wrote to memory of 5744	5696	GandCrab.exe	139
PID 5696 wrote to memory of 5744	5696	GandCrab.exe	139
PID 5696 wrote to memory of 5744	5696	GandCrab.exe	139
PID 5744 wrote to memory of 5792	5744	cmd.exe	141
PID 5744 wrote to memory of 5792	5744	cmd.exe	141
PID 5744 wrote to memory of 5792	5744	cmd.exe	141
PID 5468 wrote to memory of 5872	5468	GandCrab.exe	142
PID 5468 wrote to memory of 5872	5468	GandCrab.exe	142
PID 5468 wrote to memory of 5872	5468	GandCrab.exe	142
PID 5088 wrote to memory of 2076	5088	Fantom.exe	147
PID 5088 wrote to memory of 2076	5088	Fantom.exe	147

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/enginestein/Virus-Collection/blob/main/Windows/Binaries/Ransomware/Krotten.exe
1⤵
PID:860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --field-trial-handle=3804,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=4092 /prefetch:1
1⤵
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --field-trial-handle=2852,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=5128 /prefetch:1
1⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --field-trial-handle=5152,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=5280 /prefetch:1
1⤵
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5312,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=5428 /prefetch:8
1⤵
PID:2108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5432,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=5596 /prefetch:8
1⤵
PID:1564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=5936,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=5928 /prefetch:1
1⤵
PID:1492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6128,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=5804 /prefetch:8
1⤵
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5140,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=5168 /prefetch:1
1⤵
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5132,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=6184 /prefetch:1
1⤵
PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=5204,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=5404 /prefetch:8
1⤵
PID:2428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5392,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=6592 /prefetch:1
1⤵
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=6964,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=6996 /prefetch:8
1⤵
PID:3564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7156,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=7004 /prefetch:8
1⤵
PID:2944

C:\Users\Admin\Downloads\Krotten.exe
"C:\Users\Admin\Downloads\Krotten.exe"
1⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Users\Admin\Downloads\Krotten.exe
"C:\Users\Admin\Downloads\Krotten.exe"
1⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5112,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=6428 /prefetch:8
1⤵
PID:1108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6768,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=6884 /prefetch:1
1⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=7008,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=6148 /prefetch:8
1⤵
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=6236,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:8
1⤵
PID:4920

C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  PID:2076

C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=6628,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=6688 /prefetch:8
1⤵
PID:1688

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=6628,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=6688 /prefetch:8
1⤵
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=6248,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=5596 /prefetch:1
1⤵
PID:2772

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2280

C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Users\Admin\Downloads\Krotten.exe
"C:\Users\Admin\Downloads\Krotten.exe"
1⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of AdjustPrivilegeToken
PID:5220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=7236,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=6172 /prefetch:1
1⤵
PID:5264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=6516,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=6188 /prefetch:8
1⤵
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=5848,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=7380 /prefetch:8
1⤵
PID:5404

C:\Users\Admin\Downloads\GandCrab.exe
"C:\Users\Admin\Downloads\GandCrab.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5468
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet
  2⤵
  PID:5872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5468 -s 1676
  2⤵
  - Program crash
  PID:6060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=6544,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=6736 /prefetch:8
1⤵
PID:5368

C:\Users\Admin\Downloads\GandCrab.exe
"C:\Users\Admin\Downloads\GandCrab.exe"
1⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5696
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout -c 5 & del "C:\Users\Admin\Downloads\GandCrab.exe" /f /q
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5744
- - C:\Windows\SysWOW64\timeout.exe
    timeout -c 5
    3⤵
    - Delays execution with timeout.exe
    PID:5792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5468 -ip 5468
1⤵
PID:6032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\JDBZRIXWF-MANUAL.txt

Filesize
8KB

MD5
be08a2337c7862566fa72bcbaf6b352b

SHA1
06a2366898be456f251454323f2ac8ea8d412fb9

SHA256
059e0aeab058ccc7abf423cde6613527d66837a219745d29a0f4b2017693910b

SHA512
70075d3b96bca03407f3d3190001017c3fa67232b9612626c82e195af57780f18805211b95d52a691b8200b3f77acdf3b6619e3d43aee6b5935dd365cc63440a

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
63b37bb2ff0579784e093492ec587d39

SHA1
8e5453231167826871e83ba5c3cfc86fb3c7036d

SHA256
49fbb91f535b29f8a0d4ef5b89533c965117f0e527215ec8ef12b34e972a58e7

SHA512
6603f4666b99e9832db33308554aea4f643dc479bf9afbf5d138b3cccea4cc558a7a358797aaeaab4ee4d9ed6d6d5e2eb5480d228d388d59ed9e4a508f18aea2

Download Submit
C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md

Filesize
1KB

MD5
68d03befb46576ffb29044c02f98d4c0

SHA1
52e47e4f3702aadf6a31ae118c9db7aa1db7960b

SHA256
172393a41ca73a61e8f0fbf59d3b6849a5a60d567dcefa312ea2b00bd92fc3ca

SHA512
5b13def879d67d9a37e78e5cdccc8f0940b623a5534d968f7f023d68cff8eeaa45d1f1ac3739384285a482999aa45932193972dc9aab00496fdbaa24f44aac2a

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
192B

MD5
3a3cf51b576d0e4dae66688f022d9fa7

SHA1
1a37ba9daddb5f1856ab2a2a7f63861f5ad53240

SHA256
24d32de4f38048a001c63cd8e2f65072e87606f3cb98dbac0892f6fe6270bc7c

SHA512
035b101921e83372fc3f274d8685f80aea2703191078799e4e9fb762c0a330ee337fd680f6ba28c087ef82e236bd1843c5990386d25f0c969f84bc47a844e6ed

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
192B

MD5
60d59feef7a8bf9dfc36dc5f4959ec34

SHA1
48dd7ca10a87baade8ba5a35d8902a5bd60d7a9c

SHA256
ec28cc5011009ae49a4731884fe0c851dde1cd5a10813d2c8bdb0638ce1e4a29

SHA512
a80d5fc2f439cc621289869c911dc95cb1a0ff1c12160cbcbb9b5bb62afa8a270f18644dcf6e5b492338939b646a789c44679c74a4ab43c4b8048deff1be0461

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
192B

MD5
6e6fddae5d319c38ed847232ef50a713

SHA1
3e0c6eca07d30c995b49fe57122885909291b420

SHA256
527f5f5fd6ee404aedf925259149bb234b74524f72b68e24506b2909be956a14

SHA512
ecb7504ae601fc03fcf1410a063747beb234e6c6878e99080af13897f5455957024dcbc66ef40a493fa0a7aef4c3f90b19d09a0cf076e34762b7b974e41f5fc4

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\glib.md

Filesize
31KB

MD5
41f1cad16e983c0a3536f250cdede97c

SHA1
6c191d55468be8d959df6555d46a5853b5007728

SHA256
11f9afb0ed2f4a7614f52070895d7d979ffc1d687950d9600b1adc01042d3727

SHA512
0ed0b8cb0e2b34d01bbd16dd6146bc4d7021b57639e7b45e01444d8f50242fe0c9cc91849c1032e696d910c39e38d51048f80c299210297365f270caae0f8baa

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md

Filesize
34KB

MD5
a3cbfb67bfcc396a71833620dd1527fe

SHA1
f945f6182a73b002955c9255d948f68811c38b73

SHA256
e35ce04d7c817128e3dc7b0156a5cd230d8a14653c3d8a06281a9f2a06f4bffa

SHA512
5fc6033fbf45cdaeba34b4ed21cd222487bf63ca3622e76431de738de9e06abaeeb5816bf67155891b8d5833e7f09f78707c8cb7f2d90f62b015c0e42fdd8367

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md

Filesize
2KB

MD5
262be8a8511b2ec1546f2520d31b6b84

SHA1
6ebedaa6729950144ae4c7338ce158cb68467657

SHA256
694bcc10487017163770fbfb8faf55e4fe7f7719da45e2d8afd990039b1c33b2

SHA512
33b69088c7fbe8e33cf3790d6aac9865302bf77aa0c841a131788adce1838c6cfce806e90d3485c83b469ccbadde8e603a9b680d8591eee2004abb367caa7222

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md

Filesize
3KB

MD5
4ddcaf7647771acea357a37d8b48d48e

SHA1
74234a4d6d04430b830c9ab49afcb63375a1cb0b

SHA256
42420083becdfd0bfb5fcaf2ba3040b441e2fdb53863f5412790d04780517e9a

SHA512
5a515c0782909ee22d51e56be73a67f034a2bfdcb6cf7065380cc5563822613a8cc452999cd19db9f1e36ec5626d743321999f6671437cdf71a5b3ed3d5d7e96

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md

Filesize
5KB

MD5
1ceb51ec6b4b34ecfe3d70c8f2db5f26

SHA1
e2b74dcc6625f1d7febe230a23d238443834c14c

SHA256
ad20b785862b6dfb58c836de02b9f5d2fc5b7cb15e2e12f31e69f51e4187ff0e

SHA512
b6767b728ffe64a411b372125eb72c7ef1c1e2f55cab6854d2d1964550ec9c2a8314171de22281d6710076eefed67ce2ce325d0dbce1158d1a185afed4bb59ba

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\asm.md

Filesize
1KB

MD5
8963e44ecb1316b683152a394eab9d17

SHA1
f981938a87219eb91bff7498914ed8ec3ebeca1e

SHA256
9daee9fa48da126992ac2f48610aa6d98694e1595643d28b7bd63aa05586dd7b

SHA512
ad8d1ddfdbf092a1f15047df73cc0fab3741076e66fa98d3ace5038a1f52b6fd2779d23fdff98d81fb61c668d543dba87404b2bfc48fa402d785b36e8ffc398d

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

Filesize
10KB

MD5
f93caad584c2dcc3a614e13ebe639933

SHA1
7c0fe52b26af41547a67ee200bb47213833c0fa5

SHA256
c09a17bcbdc2efcf6d9b5ed2d045c9798eb00e825ce3fc5a24c5aaa4b504a583

SHA512
93a38b594a223390bff6013ad1dcdb0a85db33f7cf1c53979b518306bf5dea33ac7121df95a2c20dfcba1652bce8304a783576bc053b8c85dd228d81d1ae97da

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md

Filesize
3KB

MD5
ca43a92e25fc3bd772f29953d6a904f6

SHA1
ec750d4f2c4423347f628d6a2dc24ee8aaca8acd

SHA256
7e335fe1045f75ddf741f975a56955e1920cb857c8e365c8f596876ae417170a

SHA512
6b5369036c007e8e2704faa7e517296d1f5e99290c133251e270c15452d7cd1d1420075562793745cc045cefb8773711e2bc110a1b9f9129c09daa131ae626d7

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md

Filesize
176B

MD5
d278e643feb96a16dea0f8bd426da28b

SHA1
c4e04422a27fafa8d5c2ac2ecd0851e67ff21bae

SHA256
46217fa84a7080ab7ed518a280b439e78fa8ceca462ed455d97a95095c3b4025

SHA512
161dc093dfb4269636b46dd63c395548bc721d502207125780748ca9d8ed3cadeeaf63bbef8c807a3d2c7064c4fa6f9c08d2c6a95e35ded2e7790804649913aa

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

Filesize
1KB

MD5
b8e2a25bf3ff9393ab1ca38d26cb2621

SHA1
d67ec18094dd85ea2196463bd1fb32a0d8fd1fc6

SHA256
82f184565f6f7c5d185aec884ffba6ee7957060e74d4d506ab81dff4a4f4f944

SHA512
e3375ed0caf6cb60d696ef0c2fc501b667d4b805127275e389bc463d790545e5cec8bb4d5ea2a71d1c943f51ffb26afd397578022c0a5e4329fc5c750236916a

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

Filesize
1KB

MD5
623fec9146a2fee1f6adfe7b65fac2bf

SHA1
a0f436cee212a92977bd028cadf88b8d238f7c6b

SHA256
f11bc8d8c94fb26219c9b8150862965546d5ba9775e2d68212b3ac3df7ed6e16

SHA512
d39cf37c3277feecf3606424cb30e91e80787915b2aadc1b56187c94cae0ce002ed83f65275ad427d070e7c7c51a0aedecf54e49bbb15de25a9d051c5daa3651

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dom.md

Filesize
3KB

MD5
3d52122614cd8700d86a5c6b9b5326e6

SHA1
bdc144d5750a3ab79df846c5dcacfc43d927f8b2

SHA256
989b23f8e5793afaf7438aeb886d5f18e6e51258fd9e16e898bf5c30c6d179cb

SHA512
a2b096aae913d94b496dec0330d71982c22492ee628ccde59176d897a879d16eaf3cbe0b07c98310209a9bd8779d0d3ecfe94535c4389b9043a2086e62b02b29

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dom.md

Filesize
3KB

MD5
7ea27393c8521df8e16a79fa0ea5c955

SHA1
84b87e74b5d2781bb5ca5563d11e08effae12195

SHA256
31dde0e885ac66c6436c3c45f122fd026d110481a37c44ae432e5ee899e6e030

SHA512
435960db8fb0cb239d69e0919bb1bc91668d3356c143a9641c02bc7b58a58cb7d57e2107ccbe73203235baae29144c5357c19b34a0343b297a6ecd410e4a8965

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

Filesize
1KB

MD5
0c686466e851a589ad4763554a85443d

SHA1
ce5e8c0e25fecf70f0e2847f27f1176e3416b245

SHA256
3226af75d720ebb5144c6db363f5952ece9aaa13e00540faff684400b3d56f99

SHA512
73b7642ccb13a652f108c34574a28aca2090df5eeddd68eff5b96e177b3bd7389442c4b48aa952c2e475c795d6ab1e6e09391292b6fef779eae4c5f55ce7449b

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

Filesize
1KB

MD5
b90f8079b055cf0cf20c3b0674bbf8da

SHA1
fb5a9a0ae3d0e02bc10ea593b05173fff8ec1017

SHA256
b0ac2d75af585a46f2b0bb9527d7ba24262af98f8f73d02e75e1b2c0a6a92716

SHA512
6ddc3a2156f27dc148bfcef3312eac649de22cf8e5953d659941c35f39da86482563e99caadb4c51cbd56a94221e4072fb138418d96cd4c580a5d2e7ff342cea

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

Filesize
1KB

MD5
b19de522e5ea83ac9af184c5f88f55b2

SHA1
2158603f7d8a22f3ecd2dcb1e7cf47d90799830d

SHA256
68bf04d6b9619e1da2f90fd71d3265a28bed30dd57989c196c664f71455554a6

SHA512
d7e9cf9a09dfd3616559f72742853563d48e6ee470829a8326398843c1b40556e42b40b4a97b85c15edbf2c2892db8c0982bb8c5a8908ad78892a2cd49eb91cc

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

Filesize
28KB

MD5
b5dda17ea502069fcbc86710ea7f2fa4

SHA1
893909cd891cab74f2fc0e4ae0311e015f313ef0

SHA256
93786847ec522572d808685f8406fb7eadf1b857ed6dc051210dfcdd8bfa6471

SHA512
35d1317d3c28e88fcda04779bb8a43aaababcc4ab9966322d36d76ba0285e40cda1b22122eca62b32ef816c6b48163791c6827f25ce5017d7e3ab9f72d0470d9

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

Filesize
28KB

MD5
a1d4bf17b8c38b0072cd1647891241a3

SHA1
a7f886364f4158d6190dc6860bac3fbc38008cc5

SHA256
d0c1144cae1a189f23133381a1354779b2a7fd374e668da81ba82bb60d014fd9

SHA512
e913a149368a24eefa2cfb6d3a0a7584579758235e81aa3d6b8bdd40af8dd31e4f8ef22e4840549a375d137157e511d78f78e9fe45fd2e68d867c74b6cc10205

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

Filesize
28KB

MD5
e887c280c8b08ca4fd1f8753ad810b8d

SHA1
7c397fe1c483629cdbdfc7fb7f86125e3461af72

SHA256
5aaded7d01675359f7a07711b192a4de71a772f81f4af4eb7bbf60eb6414d368

SHA512
133b502d7bb03512f09e2d0ed7c34013e1cf71da77087ca2a0d75f4996451c6cf0c6ad38c63c38d22e537d5d0c16d802b76b3ab27ad5b7231953b50a83d66cba

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

Filesize
2KB

MD5
b93f49a2a3ed07c9d3e95b43a4a8e396

SHA1
b75b8fbd79870f51926c392bb53e11b161053cea

SHA256
fa20dd840b82160ca5b9c7d55d4272a7101883b4873da659a77cd35c1913af21

SHA512
72e873c3a4f6133a6438c038fca72db6ae4244b830e636d819c8254cdf8aa3ba89d8e29400d985b58fded13d1d6b5a2e7a859b4ca6bbd1e4dda2a309b8d2ed83

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

Filesize
2KB

MD5
ad335c96cecdc6e176eb994c3d3cd120

SHA1
0889e2c2ac5f24196eb68c24c3b20214f2040d69

SHA256
4c4b0af652a011a75bd83c5327f8163fa860e5e0ded0fce353e4ba4cfc65bfe5

SHA512
6049ac19a1754416638bd7341af07c16a8e3aaa4818054d7b52b47080e75f1557b5d30ae40a8cd14e6caa050125fbd03aa3be6c4de66c79f3ed6fb87581bee00

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

Filesize
2KB

MD5
8e4398727377261fc52ba5b7cd140d86

SHA1
5d2a4948104fc95ab751a460ecda503d560d47ef

SHA256
0f64ba3ba84012019a7b8524124e262894dbad3eda055eda82f0441891685c81

SHA512
b4c65ca89f8586275c2f9a4c2ee09865eeabeec7ef72d63de9f0390c80985bdf2fb538062aecc98b1119217d05eaa95309c7711f9799e59360eb52c5581af7c8

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

Filesize
2KB

MD5
a948e1881f82025234e11f0d6bfdb7e3

SHA1
ad6813bd5e0950d1e780e955380cc3098a441a22

SHA256
e3741e7f482c3a86929e1c22747819b1732a1f0c493a19ce0a7a7112001134de

SHA512
bc0eacd89a6eba0de0ddbfae9355befb100c0b5329e610bd43b847cbd439ec8084cbd45a326c89d823a02f20a0842837bebfd121eacda46c6a11898199eae5e2

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

Filesize
2KB

MD5
07b8c81be564e5450d3aaee4aac9e298

SHA1
440b0ac2f638628e8407d1503cdb01d3d8cc0d1a

SHA256
5087ad7a34f6aa71b23fbf0eace664e54f8de23283cefc51b3d43b49ea1e9b40

SHA512
707431d32873010881c4eae5f0b460fd723d541481a1d63c6b4820ce71ce48bfdb84106d17737ec99d5e886c6fbaa79e86a79197f90741628799624e42cdddd2

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

Filesize
2KB

MD5
5e78c063b6538da910cb324bff932810

SHA1
5917454e669c84e4ff719a646b23509a04ab85b3

SHA256
9edc6fd8badc825d43a2bbce1967b81f9f194be39695513bd93e1b4f8682212d

SHA512
fe348a846575e2934ede3d3eddbee148097165876c76c105235f8bc3e2f7583b8cc50c4c6f3ea7fbb8b848aa6026929c464b83cae049d80015390ebe63a40705

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md

Filesize
1KB

MD5
80f234151be6b129906cd00cfa4f6348

SHA1
325d1f537baf580f7dade7d0aff2f9dfbbb16e34

SHA256
da8940450daa8e944f2cbede5dfadab9c32145eeb12daa15e9cf7b1913057225

SHA512
29200437ce54a3de8bbc7b9c2653a8de4d09f0e29e6f0fcdfbce6eeb6da91e5d76105d33bfe067a4c66f6935ba66f5a109a9047b455bd3e78385779de40993c1

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\joni.md

Filesize
1KB

MD5
12a40cd2a1dc113904e038b3d090660b

SHA1
9bc87152cb77bdeadc78d71d685c29998c09871c

SHA256
7c54c5bd2fb6b6b0911d43ced7a01e8a0bd9f3e6b073a4f71fc314f5d9a93e46

SHA512
dbf4e021ea964350b6778ac7c9e4234bbe370d64636fe899efdce0bd62db9a1b924d7a5c301ac01dc49ec41ba3db9b0526a6a8ad5ea1ab6f8004dae685fdd85b

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

Filesize
1KB

MD5
aef6b84d43dbbbf802d166faa019110a

SHA1
53aa4e14d71a8a6574cda3babeb818deb58ea9fb

SHA256
9f5bb66f1dc5c9ecfc833b78789f8f111925d815461a08d6111f46db5a7cba13

SHA512
37ab30a5abb8ee4f9d1c861ac6193b84b830b53a8f34de59f8f2c1ca0efe8391319324eb94ab562251f623bdcf068055b23e8c6cfd4f75eb97c9e0fc2d255edc

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

Filesize
3KB

MD5
c2b896898d88e36bc659d710ed8ae9be

SHA1
5cb4dabdbdc09f6e2a7859795bcdd8499a3dffcf

SHA256
12ef8df98045ab49aeeec8e57e733029e318d7188df7527ab6194d1a83787a78

SHA512
11d2097f3434b50dea7e7382b81c3c8fdfae8b972b469f0cb0ab1f3fa29737ab5316560e103fae562cd0d636fdd9c5f6e61e8bfb60cadb6609b69a56b102b8e0

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

Filesize
3KB

MD5
5503d7b82e9bb834c24cce6d32c11492

SHA1
ed0a3d3bc290bdeb958f9c285c6611e87b72a05f

SHA256
753fffa7def54ebbbbeae1cd670c1c6e5897b7c78eec0d98ef746202c1f772f5

SHA512
8a14e14a878e6f0cefb28f2985c383bbc87b7a479b141334f7a9be382004ca626e300ca087b221409e3643f6b367c07a5f1896a982079e9ff48669aefc915f32

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

Filesize
2KB

MD5
7c57f6de217e5152da7af57b185ddefa

SHA1
7fb9c9c2ff73565802a983608ac7bd908820d0e0

SHA256
65d7a0b67b445fd95d91e81b5d3f052c34b541c9b862ee285da0035d8780a2f2

SHA512
ddbad0ea33c4a59a047176655fffb0f87eb8cafeee107862cd19467e52de17c739c871e23864e7d048ea359a313662d40405f532312ed834a042e9b1230d540f

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

Filesize
2KB

MD5
f6de00354c0a940e14f76283fd8aa810

SHA1
f7b4ffe2de11ad085623869cdbbe6921749b2621

SHA256
b77ccb8971bd463ace65d992539a3f86c58e2559d2e06fb447e33a3994427f3b

SHA512
2a670f822c97c9bc6459c1321793f3ba1eb4d3abb47850eb0606403d4ead4aea773104bc248d1b801218393e550c5d2f019efc9a85e5a25426f28a2b1d062106

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md

Filesize
5KB

MD5
fa93503c44b6384d81d8ee7d9f76a090

SHA1
2b2285efbc968d37e5ab83e94c2aff52c9c17fa2

SHA256
b75edaac052c82509dba39b2793ba752b27de73a602083a1959a02c5c67afe70

SHA512
01cca417af85bb25bd3f90658784d896422ca7f3be99b37eb9555abe0ed3ca1b7738aebcc72b4f80c8ec4968e8129ddfb526caddd273860e80790ca0449edb34

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md

Filesize
3KB

MD5
52090a2eb05b2d0cb4916327ad06856e

SHA1
e4d70b59a7d7a3ac4f07aa81d5482fc07d27c65f

SHA256
2b9ca354d1e9b94126355fec6d7634193c5b8c965cef88825c36131533389cfa

SHA512
b8a919f3c52587e322b95ca04771879e6b6c74999aab526c5ee7f27319c316ec507d3327e2f81dcc3a28f14816c8d49b6f9daec589ff1e293288f2ed91496f8d

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

Filesize
2KB

MD5
0346e4f5b0eab4c3e0edc336fc2a2079

SHA1
0caf887128338397901193da714909c9b57767c3

SHA256
0b72ebf5001df5f1efe2bd68520c6e5f53d0e2cffe0c3daed72c16417367b4f7

SHA512
58874c4891f66c2a9c8178d61e07d71a83bbd3ee7f253d3e44b0dc3953a3f3264d4184bf5075d6c39866a92a3b3a9c0c542e39ce20c3e98a9f13e5b39eb36a44

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

Filesize
2KB

MD5
adafc833751367ef45f154957012a0fa

SHA1
c6a3cf0ede7576f34bb87cbc8d8de610d2e73b99

SHA256
1653b14fd703a8bcf6258c6d82eab0f8fa2753ceb486871bb4748a891871467c

SHA512
5024fc2ca35dd169e361e095d57cbb5dd29ce8c0926901546eabfe3cc645d58a60671c4c9e3a3075dea3d02e169207a48d6a319938be55ba5777979f54520f02

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

Filesize
1KB

MD5
275c8987f6e36c5b55ed7f078ef54a2d

SHA1
14a88aad3d1d3e970e01563ab819c28c251d6d80

SHA256
e77a78b86ef66a4d273e381d3081a9e9b5fcd3d80a6cd89597ab1c2536206748

SHA512
1c7f3307bf9a95d28d3a79f01dd777dea835e4f81eb4bf575f2469713b1c366ddd8b2da668c399ac7f3fe5d4ef6d47f08b5d222d53c34b18e7bf0259d0743aee

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

Filesize
1KB

MD5
35d7d04f4a891e001bd809040d5b5bc6

SHA1
98bc37441208930bef71f1c439ec3523938b9db4

SHA256
1699341bbd67282f9aca64854589840f0dd2a378b3ba83b2ca473ba5a85a3b51

SHA512
6ec67888c82bd46e0173b66263c02884750f6f643bbca269e4eb52f51719ad918e288f29a55dba3d33d3827de756177484d1c28aaeacc223150f378c8bd724d6

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

Filesize
1KB

MD5
117dccfbaeeb0cd46cf3059226de77cc

SHA1
43e8ba17fdf3bb619734ac48122e7b924c4232dd

SHA256
0f9facb0ff423354675408984be74c847bfcd286d38ffc81b275c12d94d2300c

SHA512
5af3e046c22676bdf6c7e37a594ea536c1fa927b64ec401b6bc45765894919cdd260e8f830e0e382fa5ea3cb6f7e26be0defd2264446abaa97c8ec2718e908ef

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

Filesize
1KB

MD5
bf1f708006400062b3eb1274a3d784c2

SHA1
421276a580bd2fb9cc010d2e6cbdb9eb801aefb1

SHA256
44ba0be6b5cc3ca8a97f464c52019538c2105205491dbb376967a549c0faaf19

SHA512
34bcf14967268c72d947f27d6c87fe22b101c16603fe2a040f928d40be5a795a930e51af9b04846223b9ef4636d976bbfb502001b388df3b55fd115a8040fe54

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

Filesize
1KB

MD5
862d8179eaa65d94083ce7f71687ae1d

SHA1
c097c41b77ea5cbf44a83aaf2c3be05ec48f9e7d

SHA256
18308175a6dbf68e41155730248605394841e973e3743b85ba1f7add8c80ad07

SHA512
968fd0b1e3d04cb293e9c5bfdc587d8bc40a8fc66f31bd4fdddba633b857a806ac925651ab5a4181a2081677cca61ed00107466e7b61f81d8b6fa8b11bc1c41a

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

Filesize
1KB

MD5
906bf70a0ee442d39963872d9767f2c8

SHA1
a0369d45dde56c49ab62fa0bce0d1dead8f36ee4

SHA256
f2003ebb5865a3fd6f1b5b3b2f797865407add55478732625ef02ea960cad88b

SHA512
dbc3cf338fc441e34f9d6ee98c0b32ff668a8f0838839cda260402dc53619228ac2d0d747f7f121f3f35da1750e94cda6fab804ad6e83bb21228eec4cfec797d

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md

Filesize
11KB

MD5
6044ef11f834b7b55a2f07ed1380e0e6

SHA1
16e64eee9d2a5e719a438ace874b10c9abb47392

SHA256
c4bbaf016b54b2e3a68ba54b320a2ed92866a94e75e8d05e4aca52c21fe12e7d

SHA512
e95f31505694fcdd043fbb564bc6980e1c66c65f6076633eb6538a20dd463473ecd4331d80a2ab46c7003f66779468b1010a2fd2a62bcaaf97ce627ae2b3b1bd

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md

Filesize
1KB

MD5
1051e0dfcc3f4d2e05af309ac4a4ee2b

SHA1
2f2b6dce4b316f4ea27c4ca16bec6b02b9b5ccfd

SHA256
5daf36108d031c38d68e86b8efd56bffdaa673b519f815a918e7688407657ad4

SHA512
3aeb7549f83757c32cb9168517297abe1683ea13b4e7909ef853c56e9566700f9a2f18048a895e144a11f0b3289c06d3e45f82916dacd27a1a17b19ece5b821d

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md

Filesize
11KB

MD5
3c517fa545a7c61e10f99ae7943eeaa0

SHA1
3479fab9fbfa2b2aafa17593dde372dd3e90d478

SHA256
ea9568d425c931e5f43e4116e98c2c1cc67ce696c83e3c2b62beb164394db10a

SHA512
ce047953c728050c5e05bfc03c3c4a0480f84feb7d03d5d7ea9b2db53e3486ed8b0dcb83aa37f1bf100fdbddeca599fe7f3e3e99aabf43c24d25510913a281a0

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md

Filesize
11KB

MD5
04162e9a72beb82b222b60ef699596fd

SHA1
10ad973dd3fed0a59b414b9e4a93d94a15e780ec

SHA256
c4837df4f7a69d5d4b0840420e40481ffdf7088c2d6af511ba70c3be365686d7

SHA512
7e79000f1b6bc1b1fa2cb0e2b074a50a6e5a11f230f0000a009fbd41c05d4dca86932d1d7a543d73d9a9685e4379ec6c455ed85ccbd73e876aa9cea509ab20d7

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md

Filesize
11KB

MD5
f2aee1c9a9cce360a9749f06c6dfa4fa

SHA1
87e001752c2f21680ad40c0a5d41e43d6e8f1d69

SHA256
22d5c09fc9bc7f3b4cef6605f0e37e7d473db531767dbffec97555af2d3f708f

SHA512
f03cece01c558eb4bacb96b1fc38ab8932751bdd3869935b9640710a11d12d80fb31c6372e3c14be0c1b267078c9a801e57ef9f011b0f40c8624d3ffd58aedea

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md

Filesize
1024B

MD5
db064c1946aad589dba40fe887e1ae61

SHA1
9cc179a47f6b99e89634d02a210cf5aa52cc71ad

SHA256
8defcb2d323d06aaef8e714d98a0701121f1b1fbefe740ad08031bda181da949

SHA512
fc927526fba1a30100950663cf24d678cd486c8f8f8190e50d0624d4fd7417d09703008c35bd7b36f3516a7ab2e09ad9bf13c0634762aa5169831f135815f9b3

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md

Filesize
1024B

MD5
89f8de569890651eb1129ed779688714

SHA1
7cc2fdf3b3764ccb54734e16ac035cb2e93c5aee

SHA256
4351d09c6b553fbf338f8f3511a252cc08af34bc615066c56c2879c2e2a9abc1

SHA512
562b42fb0c93c98be63d6a1e5aa9811b3d9ca45df14adca1b3766a0202b8bc5b1501100c357425704956747d051eceabada355eae25d6d0ed03b9bed4e77f7ad

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
48B

MD5
1c21f0f509ad2b1d38fde831ce46f8d8

SHA1
a6dd5869a9efe71fdbef5bcf1127de9727de1cba

SHA256
6f979f121259ab07291e900ee6d4a0e067ee04a2134e3a096383d92507047541

SHA512
32c1aec8dcf58a7044786465ee5c6fc8e84c37f5483377078a436da93e5b2ea7659bcab5c134fbee1ff45ec364b1ff5251b41ea25fd87c961911181a50295d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\g6QpgrhJDdQZeF0\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
e33a5ca00ca628038b5f6057cb9aa12f

SHA1
ee644e0bf1856430713e95a67787d1a99a7b3f9d

SHA256
0ea30d98c2fd03ed016d1002281ac8884890688c2b5780daabc55e9324211633

SHA512
17b13565fe2f279e1143e494b7f0948878c4759d841fc9a2fdc49b0c7c3b6db77aa6ccbede9dc4cc5d98236bb52bb0e54f2b7b0848273b635518b5035ae6cdbb

Download Submit
C:\g6QpgrhJDdQZeF0\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
a9e6c933b7673a638eddb31307318dc8

SHA1
baacbeacf9da218df110d7456ef81a2cfdc423b1

SHA256
0a7b5f9c09836defe72dd6d5a0eae29619345382fc78b70af8a5710bf6464043

SHA512
36f5e8877794fcdc1e04bd15de4ca12d8ba5ec40dc6a9693c1a612eb24227b754884f1ecb09e9169cac6a5b2c3e5691f040e0acea6773af35aff605f55ac4422

Download Submit
C:\g6QpgrhJDdQZeF0\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
a191179f2feeac35d0beab0f8d62798f

SHA1
53c354d35bb89bda0a00f7c3af6637877bbdab0f

SHA256
eb5c65597ae89163576cb93d925a6bba349e1143e18091e0ee6aaef54710c857

SHA512
a63964f57d6eb008eb56509d0f4b45aa4d4661bb955b7070d115b1e8a645a2bdf1db33d78086fba4b2e579ac64547fbaa143c3b6db3da7a4d4b6a5d3b2f76e20

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3665033694-1447845302-680750983-1000\JDBZRIXWF-MANUAL.txt

Filesize
8KB

MD5
cb9c73eb215fcd8f1b8e7486d9ceecff

SHA1
b634bc0d627b8b816fa2263a9317c8d2a6f1a207

SHA256
7eba75142bcd9d4c475ee3fd9d619cbafc972dd1aa32a64f3ebb5fb52f595cef

SHA512
0e84ec9fdcf755b1906c60afd8647f02a60e4e933c175b0433cf491a7ef367c74ef408371ca81377ed745d18c549150b8acd22e98737956b50c19c6b530c73a2

Download Submit
memory/2076-1146-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/4620-134-0x0000000004910000-0x0000000004942000-memory.dmp

Filesize
200KB

Download
memory/4620-388-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/4620-262-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/4620-261-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/4620-260-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/4620-259-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/5088-25-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-37-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-387-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/5088-133-0x0000000005270000-0x000000000527A000-memory.dmp

Filesize
40KB

Download
memory/5088-132-0x0000000004B70000-0x0000000004C02000-memory.dmp

Filesize
584KB

Download
memory/5088-131-0x0000000004C30000-0x00000000051D4000-memory.dmp

Filesize
5.6MB

Download
memory/5088-130-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/5088-45-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-57-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-7-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-9-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-11-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-14-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-15-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-17-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-20-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-23-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-0-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

Filesize
4KB

Download
memory/5088-27-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-29-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-32-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-33-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-35-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-1134-0x0000000005560000-0x000000000556E000-memory.dmp

Filesize
56KB

Download
memory/5088-40-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-41-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-43-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-47-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-49-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-52-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-53-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-55-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-59-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-61-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-63-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-65-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-67-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-70-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-21-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-6-0x0000000002740000-0x000000000276B000-memory.dmp

Filesize
172KB

Download
memory/5088-5-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/5088-4-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/5088-3-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/5088-2-0x0000000002740000-0x0000000002772000-memory.dmp

Filesize
200KB

Download
memory/5088-1-0x00000000025C0000-0x00000000025F2000-memory.dmp

Filesize
200KB

Download