Overview

overview

10

Static

static

1

RNSM00483.7z

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-09-2024 13:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00483.7z

  • Size

    47.3MB

  • MD5

    089cee221e08d8edad93795d4a0ddacf

  • SHA1

    56c1ef11b308e8def30e19a8cd2b5d908eb20c78

  • SHA256

    75f2278a58d14d126c9bce4e31b527cd258bf00ff36ea128374a5f2bf0f86e5c

  • SHA512

    ea2f9f01ca0681e73d27c03b609a0c3ecdc9cc78d4eda03d88e844961a267ba63d81caa6e5f3cd6ce122a243b8dcef5fa5c600ac1b410aede0a8f1dd4ed0db17

  • SSDEEP

    786432:4g8X+Ijnxcyzew9udeAhP5XltZehEExusKZhdINIsLyVhm08ek9GLEUUSccH0I:4FuMxZeL0YrzE3qdMLyVh7orUUSh

Score
10/10
avoslockergandcrabmafiaware666aspackv2backdoorcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\$Recycle.Bin\KRAB-DECRYPT.txt

Ransom Note
---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/f0598199c13cc0e6 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAP8IQQnUGzKMREq2JRBv/RWkzDFS7kzdF/9EB1rJXT086BxC8U+a2XqeSDNfIZML4ZP3lJXqGFj2aBSXNrcN8RAwpxad+S0IiMG2lDBgzcBsH7TC+wkTeUSUDcWaFFObhRhgEh5oZhH8ADaom9zSqSpqjdfN0OjXjwFMvYiuQDGapj0QSRnEqdhG6okqK25xD3DItTVOilDZ5J16Dxd86Y+QHF5V1c48bD1m451huTkuOIg7iVY8NUMgWdysTcM0CroY4iHFbXlD17Z4AH02X4bNQNGDk6jHZXUzuGMhdEiDc373bJeu8b/9tRqePlZ+xg5aTFEUn7zRzrdhnAXli5OuykihvHoVlNJfUkohTwZZn3IlgpNbsvDwuD6ZY6ktXQidrY1aDhaRAdqTkUfwnxvANtM6bPCQf/dif5Kh1IW+5fhCK2FGaO5TMISi/1qzch/Azbfyw3iG0o2O6r4V1+Jm2Z4KIpm6N36/ji2qsqnZ43jVJsrCU2ONiltRFjSLhNzhNdht0/D3HWIlN56xNuy8iTrfYmlczvMtW3JEePS3upH5qQM5yLC4YgIGJVsbSPzN05d4YSoIH/OM5VcNt4Vhx+qrW5Ukhro70DRI2SovYWu4ZWRLfJ7JAi6pcwu+mn6uY4/uPLw0eEcPqZivBSW/MrY+Qrs3IHTE48vt0rQutL10qM9cPaIiRihS/r0jA28TlA7fo+u4zFKjiJ7WUSbcdzKVAPdSGUV+UqG5MvgigAHPjFlG1HFdoTKa7FigavOQ8zLc2ldVkEQEoL0Nv7BnKW15nqFwma7F4o6q6AANjlJKNaIIgemyYUk7PTWyIdUN3eeWenC9+qxFpKsXqYkOwOUG4EDGQkCiNUqeG4mMzCKsf4L9cPoPXwbCRwaP7g7om40TXfIbId6oA72sdQMxVK1fZxKaO9lqED6fj8edm7bPXRs30WiAUe8BIvhjPCDucHqwbft/5naEMKRmy9KPsJ5uAQee+YH1vRbxZeGe4FpTQiNWNvHETDEbu5jEBsOyHCDrp7qgA17Uys9q9uFYrrYeEc9W4eg8AjVYNd+RhCk1+wppnzfINgm/mCOwENLNV6l4Msr8gFMifaX+UIYFHEmN60NEC+rHyhWhmDsgdxUc5j1kR4hGV/ps1rwtqXHtd6dCboDz9XV8P2xFhumq/Dbi1hY5mp4rlSjttS0WxDjcazqOHPuFm5MDTpk8+WLa0yWrCaZMraVXgsSEpRpzg72CPxW4EJZBv5DN0pnSPJlxiJnKT/5FnTkbL6fotyyo1fzqN4SXCpb0vBwwjTWV4b7fMXLJPRithKGFVSXy84eEcmTHGASN6bq8eHyrMDg0Z4eSzdwKhY8HsOKxAGFV0WIbWW2286aPdMjp3YoMmMp4eY5MIuxnyBQ0WRdRav/oV+0P5Hbcn3v3ulJBMCjvzNVmOI1iBnWPjPA2bUIAz9OJ/ZG9jagx/2RzbEEOKEPcdqAebqehz32Io5CCpvzEuN2ni0hPBr1bq0nTjuTW8rYuGKinSocazTFImTRVwIfJ9VB61ybXeM8mkNhgiX8ULuLKJ8+lSM1yjWkmOLI6uhZYNYrm0/T5c3Luw6kjzZ3YQsOGBwdKoCafRYnsG/vJE2a2iBQm0Wh23b57TYs4puekc8izJ4a6ChFOFdPFDpyIkx1ixpWPWTcT3CGnp6wwKuh0ZO6HOl0uVC+IKOLlGYKAGORHDgRI/+yBh+Fj+LbCS7lHkg4veiLwGTvy+B6Wx/hqjeM32MyRNfUMEy1n7xFaZRPX3D1lhUS8r3aFfGsMqYnd63dc/1Zgo3rd8SNGB5EreTpn1W5Ovy2GRrj/xqvJ+bveNaeSdFeNgC9HOSTXBehj2qWfhi0XzNMLMUfaKVjoyEGkFsFLK3c0lJ/tQoTAwe4F3U1n3lp0/fBxIz4L0M10kLAxd3bDKzY5IQS7eYOorWoe6pgrb55jQRhAhK1qbZjMNsmaPm2lHD/tHxnsXrpOP/60OlNon4rsKxGBCY49uhBnZTRdn40JSIPqZ5xDX0KlGl7yn1Jyq6Gd+1705AJDzbQsmzZQo7mJJHLrRucMuPXLHbPG1Z4RizSPo7C88Hq/qk0QJ1DwISFIsSXbxVqwLVQXxZ3MqG1661A6AAVKWf56aVl8TT5h/rhwUvB/CEaJW9tYsgWksGxx6JDQi7Llo4QnlLpooDtDY9FzQjFVoA35aMgjmKLfSZK/dnPQ0doEsX9ZWhfWchst5p+VU3c= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZfToFRunYP7ntWvLfSTHKHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXBtuKk/2M2GOsuGtpYZVqKBnTtrBHVEYob8icS4oy4Pab3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pARFI3vLLMOaq1wcZNHQURlWKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3TC2qZBEuTtLkigBZ9MNJGhHpcOfb/LRdoPsok9V+butLOnzJ/9bHYIh8sz6+xLRettGP+Pbn3W/eJIXs9ebdQm9EZhJFLe2qhgw2mJLRMzwAtbfjn5E2ENiW4EkrJfTw== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/f0598199c13cc0e6

Signatures

  • Avoslocker Ransomware

    Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.

    ransomwareavoslocker
  • Detect MafiaWare666 ransomware 2 IoCs
  • GandCrab payload 3 IoCs
  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • MafiaWare666 Ransomware

    MafiaWare666 is ransomware written in C# with multiple variants.

    ransomwaremafiaware666
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (161) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Renames multiple (361) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Modifies Windows Firewall 2 TTPs 6 IoCs
    evasion
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 4 IoCs
  • Executes dropped EXE 25 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Uses Tor communications 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 26 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 6 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00483.7z
    1⤵
    • Modifies registry class
    PID:1932
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4368
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1572
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00483.7z"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4716
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3516
        • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.MSIL.Blocker.gen-16538c2862415ff55840f6dbdc28ade7a59724f518fdb315b671237852a59e98.exe
          HEUR-Trojan-Ransom.MSIL.Blocker.gen-16538c2862415ff55840f6dbdc28ade7a59724f518fdb315b671237852a59e98.exe
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4396
          • C:\Users\Admin\Documents\Hacı Ahmet.exe
            "C:\Users\Admin\Documents\Hacı Ahmet.exe"
            4⤵
            • Executes dropped EXE
            PID:5084
            • C:\Windows\System32\ipconfig.exe
              "C:\Windows\System32\ipconfig.exe" /release
              5⤵
              • Gathers network information
              PID:6068
            • C:\Windows\System32\netsh.exe
              "C:\Windows\System32\netsh.exe" firewall set opmode disable
              5⤵
              • Modifies Windows Firewall
              PID:6076
            • C:\Windows\System32\ipconfig.exe
              "C:\Windows\System32\ipconfig.exe" /release
              5⤵
              • Gathers network information
              PID:3688
            • C:\Windows\System32\netsh.exe
              "C:\Windows\System32\netsh.exe" firewall set opmode disable
              5⤵
              • Modifies Windows Firewall
              PID:6204
            • C:\Windows\System32\ipconfig.exe
              "C:\Windows\System32\ipconfig.exe" /release
              5⤵
              • Gathers network information
              PID:6212
            • C:\Windows\System32\netsh.exe
              "C:\Windows\System32\netsh.exe" firewall set opmode disable
              5⤵
              • Modifies Windows Firewall
              PID:5380
            • C:\Windows\System32\ipconfig.exe
              "C:\Windows\System32\ipconfig.exe" /release
              5⤵
              • Gathers network information
              PID:5788
            • C:\Windows\System32\netsh.exe
              "C:\Windows\System32\netsh.exe" firewall set opmode disable
              5⤵
              • Modifies Windows Firewall
              PID:5764
            • C:\Windows\System32\ipconfig.exe
              "C:\Windows\System32\ipconfig.exe" /release
              5⤵
              • Gathers network information
              PID:5940
            • C:\Windows\System32\netsh.exe
              "C:\Windows\System32\netsh.exe" firewall set opmode disable
              5⤵
              • Modifies Windows Firewall
              PID:6032
            • C:\Windows\System32\ipconfig.exe
              "C:\Windows\System32\ipconfig.exe" /release
              5⤵
              • Gathers network information
              PID:1524
            • C:\Windows\System32\netsh.exe
              "C:\Windows\System32\netsh.exe" firewall set opmode disable
              5⤵
              • Modifies Windows Firewall
              PID:6348
        • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.MSIL.Blocker.gen-825dce976a7a66947289d1c6e0486248266c83a1ff9c74fd7e5d991769b3ecf7.exe
          HEUR-Trojan-Ransom.MSIL.Blocker.gen-825dce976a7a66947289d1c6e0486248266c83a1ff9c74fd7e5d991769b3ecf7.exe
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1128
          • C:\Users\Admin\AppData\Roaming\Payload.exe
            "C:\Users\Admin\AppData\Roaming\Payload.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:4556
        • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.MSIL.Encoder.gen-184d344b757eaf6c7397e2486d28b98983eab107683d5a7ee17a1f4dc1cf65d2.exe
          HEUR-Trojan-Ransom.MSIL.Encoder.gen-184d344b757eaf6c7397e2486d28b98983eab107683d5a7ee17a1f4dc1cf65d2.exe
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1732
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\System32\rundll32.exe" javascript:"\..\mshtml,RunHTMLApplication ";document.write();shell=new%20ActiveXObject("wscript.shell");shell.regwrite("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\adr","C:\\Users\\Admin\\Desktop\\00483\\HEUR-Trojan-Ransom.MSIL.Encoder.gen-184d344b757eaf6c7397e2486d28b98983eab107683d5a7ee17a1f4dc1cf65d2.exe");
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:244
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\explorerkiller.bat" "
            4⤵
              PID:5284
          • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.MSIL.Gen.gen-a6339f9ef7c91bc792626ff3765a46809dcada083c93a7e63fd01b0e91c1bb90.exe
            HEUR-Trojan-Ransom.MSIL.Gen.gen-a6339f9ef7c91bc792626ff3765a46809dcada083c93a7e63fd01b0e91c1bb90.exe
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1168
          • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Blocker.pef-94fbafab9e4f3df2e89731cf8c05f9c549c3d803a01a97fd29c7d680049ba78d.exe
            HEUR-Trojan-Ransom.Win32.Blocker.pef-94fbafab9e4f3df2e89731cf8c05f9c549c3d803a01a97fd29c7d680049ba78d.exe
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2772
            • C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
              "C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4076
          • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Blocker.pef-dee74cdae069253f4b57314d02d9b89470e1f931a061074d3ec724dcca1910b2.exe
            HEUR-Trojan-Ransom.Win32.Blocker.pef-dee74cdae069253f4b57314d02d9b89470e1f931a061074d3ec724dcca1910b2.exe
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4856
            • C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
              "C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2964
          • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-d629d70868620681a7bd1e3bc49dfce91ac0bb4cd64a6358bcdeef1acf0d3a93.exe
            HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-d629d70868620681a7bd1e3bc49dfce91ac0bb4cd64a6358bcdeef1acf0d3a93.exe
            3⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            PID:3084
          • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-0a2e2efc45013ca8549874984968cd615117c08783018becfe03774fe68edb48.exe
            HEUR-Trojan-Ransom.Win32.Cryptoff.vho-0a2e2efc45013ca8549874984968cd615117c08783018becfe03774fe68edb48.exe
            3⤵
            • Executes dropped EXE
            • Adds Run key to start application
            PID:2172
          • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Cryptor.gen-be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe
            HEUR-Trojan-Ransom.Win32.Cryptor.gen-be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3712
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:7068
              • C:\Windows\SysWOW64\reg.exe
                "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\917284472.png /f
                5⤵
                • Sets desktop wallpaper using registry
                • System Location Discovery: System Language Discovery
                PID:5132
              • C:\Windows\SysWOW64\rundll32.exe
                "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
                5⤵
                • System Location Discovery: System Language Discovery
                PID:6140
          • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-4d2cac113e243d728e7d4ffb37ccca9bf1fbc96a7381ff7ab98cdad0955f5c87.exe
            HEUR-Trojan-Ransom.Win32.GandCrypt.gen-4d2cac113e243d728e7d4ffb37ccca9bf1fbc96a7381ff7ab98cdad0955f5c87.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious use of SetWindowsHookEx
            PID:2448
            • C:\Windows\SysWOW64\wbem\wmic.exe
              "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
              4⤵
                PID:2980
            • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe
              HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe
              3⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Checks SCSI registry key(s)
              • Suspicious use of AdjustPrivilegeToken
              PID:2096
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 484
                4⤵
                • Program crash
                PID:6480
            • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Generic-021e563e197adb919596fd3f6ab0b6c58615506287574504ef26fc0536df9a2c.exe
              HEUR-Trojan-Ransom.Win32.Generic-021e563e197adb919596fd3f6ab0b6c58615506287574504ef26fc0536df9a2c.exe
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2720
              • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Generic-021e563e197adb919596fd3f6ab0b6c58615506287574504ef26fc0536df9a2c.exe
                "C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Generic-021e563e197adb919596fd3f6ab0b6c58615506287574504ef26fc0536df9a2c.exe"
                4⤵
                • Executes dropped EXE
                PID:5992
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 472
                  5⤵
                  • Program crash
                  PID:6488
            • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Generic-c21cf0ef3e5c699150f2804de3360459b1da2c3613fc0c4390d0148e6146be07.exe
              HEUR-Trojan-Ransom.Win32.Generic-c21cf0ef3e5c699150f2804de3360459b1da2c3613fc0c4390d0148e6146be07.exe
              3⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:6000
              • C:\Users\Admin\AppData\Roaming\Dados Trabalho.exe
                "C:\Users\Admin\AppData\Roaming\Dados Trabalho.exe" C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Generic-c21cf0ef3e5c699150f2804de3360459b1da2c3613fc0c4390d0148e6146be07.exe
                4⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                PID:6380
                • C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
                  "C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe" unk
                  5⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:6512
                  • C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
                    "C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe" unk2
                    6⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:6664
                    • C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
                      "C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe" unk3
                      7⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:6832
                      • C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
                        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
                        8⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:6900
                      • C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
                        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:6976
                        • C:\Windows\SysWOW64\reg.exe
                          "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                          9⤵
                          • Adds Run key to start application
                          • System Location Discovery: System Language Discovery
                          PID:7164
                        • C:\Windows\SysWOW64\reg.exe
                          "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                          9⤵
                            PID:4160
                          • C:\Windows\SysWOW64\reg.exe
                            "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                            9⤵
                              PID:4372
                            • C:\Windows\SysWOW64\reg.exe
                              "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                              9⤵
                                PID:1764
                              • C:\Windows\SysWOW64\reg.exe
                                "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                9⤵
                                  PID:6128
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                  9⤵
                                    PID:5296
                                  • C:\Windows\SysWOW64\reg.exe
                                    "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                    9⤵
                                      PID:5508
                                    • C:\Windows\SysWOW64\reg.exe
                                      "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                      9⤵
                                        PID:5864
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                        9⤵
                                          PID:3256
                            • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-a5c8f955e10e33d50296f1ab1d5a78324973a5fcf1182035bf05667bd894af0d.exe
                              HEUR-Trojan-Ransom.Win32.PolyRansom.gen-a5c8f955e10e33d50296f1ab1d5a78324973a5fcf1182035bf05667bd894af0d.exe
                              3⤵
                              • Modifies WinLogon for persistence
                              • Drops startup file
                              • Executes dropped EXE
                              • Enumerates connected drives
                              • Drops autorun.inf file
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              PID:6552
                        • C:\Windows\system32\taskmgr.exe
                          "C:\Windows\system32\taskmgr.exe" /4
                          1⤵
                          • Checks SCSI registry key(s)
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          • Suspicious use of WriteProcessMemory
                          PID:1400
                          • C:\Windows\system32\taskmgr.exe
                            "C:\Windows\system32\taskmgr.exe" /1
                            2⤵
                            • Checks SCSI registry key(s)
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious behavior: GetForegroundWindowSpam
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            PID:3768
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5992 -ip 5992
                          1⤵
                            PID:6304
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2096 -ip 2096
                            1⤵
                              PID:6416
                            • C:\Windows\system32\vssvc.exe
                              C:\Windows\system32\vssvc.exe
                              1⤵
                                PID:4856
                              • C:\Windows\explorer.exe
                                explorer.exe
                                1⤵
                                  PID:4916

                                Network

                                MITRE ATT&CK Enterprise v15

                                Reconnaissance

                                Resource Development

                                Initial Access

                                Replication Through Removable Media

                                1
                                T1091

                                Execution

                                Command and Scripting Interpreter

                                2
                                T1059

                                PowerShell

                                1
                                T1059.001

                                Windows Management Instrumentation

                                1
                                T1047

                                Persistence

                                Boot or Logon Autostart Execution

                                2
                                T1547

                                Registry Run Keys / Startup Folder

                                1
                                T1547.001

                                Winlogon Helper DLL

                                1
                                T1547.004

                                Create or Modify System Process

                                1
                                T1543

                                Windows Service

                                1
                                T1543.003

                                Privilege Escalation

                                Boot or Logon Autostart Execution

                                2
                                T1547

                                Registry Run Keys / Startup Folder

                                1
                                T1547.001

                                Winlogon Helper DLL

                                1
                                T1547.004

                                Create or Modify System Process

                                1
                                T1543

                                Windows Service

                                1
                                T1543.003

                                Defense Evasion

                                Impair Defenses

                                1
                                T1562

                                Disable or Modify System Firewall

                                1
                                T1562.004

                                Indicator Removal

                                1
                                T1070

                                File Deletion

                                1
                                T1070.004

                                Modify Registry

                                3
                                T1112

                                Credential Access

                                Credentials from Password Stores

                                1
                                T1555

                                Windows Credential Manager

                                1
                                T1555.004

                                Unsecured Credentials

                                1
                                T1552

                                Credentials In Files

                                1
                                T1552.001

                                Discovery

                                Peripheral Device Discovery

                                2
                                T1120

                                Query Registry

                                4
                                T1012

                                System Information Discovery

                                6
                                T1082

                                System Location Discovery

                                1
                                T1614

                                System Language Discovery

                                1
                                T1614.001

                                Lateral Movement

                                Replication Through Removable Media

                                1
                                T1091

                                Collection

                                Data from Local System

                                1
                                T1005

                                Command and Control

                                Proxy

                                1
                                T1090

                                Exfiltration

                                Impact

                                Defacement

                                1
                                T1491

                                Inhibit System Recovery

                                1
                                T1490

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\$Recycle.Bin\KRAB-DECRYPT.txt
                                  Filesize

                                  8KB

                                  MD5

                                  b5e093f1bcfbca24f1ca57b5c23293ff

                                  SHA1

                                  56786af5d48f27474db6da8ea32d4acfe42061c4

                                  SHA256

                                  1b82c142e4cea3a87bf3daa958249f0416f226921a72bd6ea95a873b6140f531

                                  SHA512

                                  f2412944b595ffbbb89d9ddd64eff137c4dbf222053c7b902acbfcdd195f74af55150524bfa5e0ddcf930b862605b2438e41e03c6b7b942b36d2e2aabbc756da

                                  Download Submit

                                • C:\GET_YOUR_FILES_BACK.txt
                                  Filesize

                                  1011B

                                  MD5

                                  d90d05a5fea9c28b3bf2b55f808c3a45

                                  SHA1

                                  7774c79c85b4401acfc56002f9e8a3e10e8a7b60

                                  SHA256

                                  8a9b224d68a718e7cd4da069a158408d9c71fb8ecc4e4a6581982d7a35b29cec

                                  SHA512

                                  783d830a0d75911da6878ea58f7191f1438a429e232c63db86e6f09a1bb390ec7ee72f10db1ee695177686cacab24c9e58f61e7d403d75dd9c817c592131170a

                                  Download Submit

                                • C:\Program Files\7-Zip\7-zip.chm.exe
                                  Filesize

                                  1.8MB

                                  MD5

                                  2d98246fc6843d1192a16aeee63f967b

                                  SHA1

                                  d52077ca006ee8fcc4ab43e3761c0d19314bbba9

                                  SHA256

                                  85fc44e0778027b9c2ed50c8cebefe108773b4f587b1c9be15e6f5d5cc64b904

                                  SHA512

                                  dab48fc9715cca602488d71968627ecfb1e2e3aedd4e16270ca1a118046f98e355fab7e226edd97dccba42c1da7e05831100fa0473266e0913032bdc68888652

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
                                  Filesize

                                  64KB

                                  MD5

                                  d2fb266b97caff2086bf0fa74eddb6b2

                                  SHA1

                                  2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

                                  SHA256

                                  b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

                                  SHA512

                                  c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
                                  Filesize

                                  4B

                                  MD5

                                  f49655f856acb8884cc0ace29216f511

                                  SHA1

                                  cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

                                  SHA256

                                  7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

                                  SHA512

                                  599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
                                  Filesize

                                  944B

                                  MD5

                                  6bd369f7c74a28194c991ed1404da30f

                                  SHA1

                                  0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

                                  SHA256

                                  878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

                                  SHA512

                                  8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\7zEC5EABEE7\00483\Trojan-Ransom.Win32.Blocker.ndgg-c910c9901ea9ff059e3596cf1e49c16c3b757176397c961760f06d6dad553472.exe
                                  Filesize

                                  15.9MB

                                  MD5

                                  d79d945d07bc09c8386943bd6d4bb307

                                  SHA1

                                  a461cfa215b5540db195354b1cad3e68d790668e

                                  SHA256

                                  c910c9901ea9ff059e3596cf1e49c16c3b757176397c961760f06d6dad553472

                                  SHA512

                                  4e8277bd8177e76bc36675d336457d03032866c6c78772059e2992e19d9b96642c30f66e71023f461445c14f28dc1890f1a07a15f00f26b973da5a6ed627e3cc

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2vqcaxl2.ac3.ps1
                                  Filesize

                                  60B

                                  MD5

                                  d17fe0a3f47be24a6453e9ef58c94641

                                  SHA1

                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                  SHA256

                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                  SHA512

                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
                                  Filesize

                                  50KB

                                  MD5

                                  9b289da45db35a863bbf2775b118fb38

                                  SHA1

                                  346293a7405d87157c1b24b32b44882601417458

                                  SHA256

                                  49e38c04215f4f1b570681c5df8135ba972194ad2abbe28576440a1e14468872

                                  SHA512

                                  c74e175f1ff4f664068af03345e30fe3d87f999ab8c87b5b3cf79d99112d9a0140c20dce26289f6c711ca31b8b9bc587d5fba274fb6dbe35dfc588c8698f42ed

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Dados Trabalho.exe
                                  Filesize

                                  4.1MB

                                  MD5

                                  e9a4ab847a556bcf559a3a357c5f2795

                                  SHA1

                                  43645de5c291c690309901cd0a6858490b5bcabd

                                  SHA256

                                  b48f1bf5e248bcfa3c95315ebec854f08f91e129e31ea62fb2173ca074d569b9

                                  SHA512

                                  3842b9b28e1d26b0a50755b0cea35193aecbbdbba85579c7b306475c363de7846fd5df4875341bcee36ae972dc75befe420f9c27a322f3bd9a1b0bd087c122b1

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
                                  Filesize

                                  4.1MB

                                  MD5

                                  c194f05400fd0bca323af3abfba469c0

                                  SHA1

                                  9990be9c83cb654c41f59b6b9b7e72439911a3f5

                                  SHA256

                                  89a7c081bf3c094fd0a466c62d9858603173146923d4ca0d7a945c0a23c92b4b

                                  SHA512

                                  f4fc35b85296306547521226536a9d16556038dbca806e9b4773963a60e7e3c9b203911a66dc0e67590d26b6a0fffdb4c3f4ad966779cf0c4bff1b547c38d685

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
                                  Filesize

                                  4.1MB

                                  MD5

                                  4622764c28edb773090f9674c9005731

                                  SHA1

                                  ca923fbf2055e1bd8776d01969ff72c1fe620168

                                  SHA256

                                  7629c82901a855836022d416fc3dcc316ca6b98940f0bcb2db1a453d76c5d827

                                  SHA512

                                  d6f0045971d68a7cde12950a936a3f3ac1aee3300068281ada086445e0cc68fb91f1d2ce97c9b51f24ce97a47a7c28ec2a446efa794c039e0e96aa7a33aa6798

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
                                  Filesize

                                  4.1MB

                                  MD5

                                  93e1b8fc79aab4782cc9236439331e09

                                  SHA1

                                  b9771b3da4357c5a5134aec1e9b9294677fa7d0f

                                  SHA256

                                  4f6ac271f9bbd731a35dbe68d0e60ca2622340796beaab9f05270c879c6aca86

                                  SHA512

                                  220546dbd5dff5c6d38727a5dcb0f71c29329ab576209c6eea79a2a7aa3eb330392d69deaaf6a1510aa157f11da10e6bbe6933961849761f6c3f6e584824a9e8

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
                                  Filesize

                                  4.1MB

                                  MD5

                                  bc0d26d4c9eb77869e9a811866a31daf

                                  SHA1

                                  84353ee49d751564aea0e9c87528c5630ca7736a

                                  SHA256

                                  1802701cf076ddb0593810e3e736d75cc4501ac5e143311df9131666608550cd

                                  SHA512

                                  6e579af9b9fee927ebee1b8d137b04b9aa09f7eda0a68150d3d6a66953ddf81b955a708c22df4e84219b55b77809b5b67f2d28eea24cc084340801c4a9086e48

                                  Download Submit

                                • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.MSIL.Blocker.gen-16538c2862415ff55840f6dbdc28ade7a59724f518fdb315b671237852a59e98.exe
                                  Filesize

                                  378KB

                                  MD5

                                  1b9a97649cccdfd5d9b7f708338d8e40

                                  SHA1

                                  4cd9d158874ef995627ca0fbdd08157f20bff8a0

                                  SHA256

                                  16538c2862415ff55840f6dbdc28ade7a59724f518fdb315b671237852a59e98

                                  SHA512

                                  1de788c66e5449eba56967414b80810ee0fb5d6812e661c9f1b7b3aeae16eed64d77b24e5a584e66196dfe1a25b899c6c53b6cbaa03aa7124079eaaca284a8eb

                                  Download Submit

                                • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.MSIL.Blocker.gen-825dce976a7a66947289d1c6e0486248266c83a1ff9c74fd7e5d991769b3ecf7.exe
                                  Filesize

                                  6KB

                                  MD5

                                  5dc74da8b3b3258c94ab980a9577a219

                                  SHA1

                                  ccf4dc5e49e317c941ca1274cf6f5b6d8b851b64

                                  SHA256

                                  825dce976a7a66947289d1c6e0486248266c83a1ff9c74fd7e5d991769b3ecf7

                                  SHA512

                                  e7af1c84dbaf54f140c5a957c1b900fea961ed8219ce7b92257d18158b7f937c0299b91069c6963debe17ec62e4ea0af14a959915d353862ed7fe351dcef58f6

                                  Download Submit

                                • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.MSIL.Encoder.gen-184d344b757eaf6c7397e2486d28b98983eab107683d5a7ee17a1f4dc1cf65d2.exe
                                  Filesize

                                  235KB

                                  MD5

                                  4c0c842fe006a14361e1ecff30a90754

                                  SHA1

                                  f57efbc22c381feec88b7d82e167b8e2eb1dca1d

                                  SHA256

                                  184d344b757eaf6c7397e2486d28b98983eab107683d5a7ee17a1f4dc1cf65d2

                                  SHA512

                                  851d096c83c3284af635cdd029736e93bb2abd32cb0c7dab1985f46ff5c3eb3ea84120fb27802d4045608ee967a75d8f347466e68a7fe782d79dd36eef730604

                                  Download Submit

                                • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.MSIL.Gen.gen-a6339f9ef7c91bc792626ff3765a46809dcada083c93a7e63fd01b0e91c1bb90.exe
                                  Filesize

                                  557KB

                                  MD5

                                  52c527df9e7554e940c3c45b4e9b3e30

                                  SHA1

                                  ae182f41baae6a5f3c05803933ba77578772233c

                                  SHA256

                                  a6339f9ef7c91bc792626ff3765a46809dcada083c93a7e63fd01b0e91c1bb90

                                  SHA512

                                  eabb6293309e5ac13a9530efe8f3f75d6fa1102a6fed2a1825022fff584836796fc6eab97b42fe88cb618c987907b2c3224cfa79bec8b8f332f72a0f9412752c

                                  Download Submit

                                • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Blocker.pef-94fbafab9e4f3df2e89731cf8c05f9c549c3d803a01a97fd29c7d680049ba78d.exe
                                  Filesize

                                  50KB

                                  MD5

                                  d28016f1314390c3472db9a375236fbe

                                  SHA1

                                  2d7cca420a24f1d20c5258e321f8fcb7381f9418

                                  SHA256

                                  94fbafab9e4f3df2e89731cf8c05f9c549c3d803a01a97fd29c7d680049ba78d

                                  SHA512

                                  7860668d65294daef45f8749e58db932e8352bf452b0f04c9e5edc5ba24155a91561daa0a3ecec78a636fd5bae51a1ee769f7bacee349c583963dbc60f376db3

                                  Download Submit

                                • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Blocker.pef-dee74cdae069253f4b57314d02d9b89470e1f931a061074d3ec724dcca1910b2.exe
                                  Filesize

                                  50KB

                                  MD5

                                  919bfbc3dd8239dd7ac114dbe97d2ffd

                                  SHA1

                                  944fb4424e95cdc947137e48dd11788b0a086f5f

                                  SHA256

                                  dee74cdae069253f4b57314d02d9b89470e1f931a061074d3ec724dcca1910b2

                                  SHA512

                                  935d4c02e167b604d1d4a238702639932e487b9be67529f033ba378906be029069913ed193d85db92946f4b0d2f1e8846f46f169d16d703bd9254d648c7c1b3c

                                  Download Submit

                                • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-0a2e2efc45013ca8549874984968cd615117c08783018becfe03774fe68edb48.exe
                                  Filesize

                                  130KB

                                  MD5

                                  bf3a4bb4e42c26f585159f7aa103bc73

                                  SHA1

                                  d513c1fe0b0d89eef5a2c4bbfbca9d7e9043901c

                                  SHA256

                                  0a2e2efc45013ca8549874984968cd615117c08783018becfe03774fe68edb48

                                  SHA512

                                  bdb0a4088f3b3f556d86d12996502980f7db41811e2c42355ad7d1678ce1a32fd5ab1cdb61ec95e5c5903a4deee7401f05676f214c8b208f83bf76dbeae974b2

                                  Download Submit

                                • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Cryptor.gen-be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe
                                  Filesize

                                  921KB

                                  MD5

                                  075cb88f83fbe4ad2ae0f553697e7bdf

                                  SHA1

                                  773dce7c01a42e8371cf49ceda07f26cba0907b9

                                  SHA256

                                  be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70

                                  SHA512

                                  3f0a503acbfffc79eed37597d59e313c31f6b5451fdad79eacd611119ec17a4a245928079993689811a5695ad310951a282b1c493d08bdb31aa2b5fdbf63bf67

                                  Download Submit

                                • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-4d2cac113e243d728e7d4ffb37ccca9bf1fbc96a7381ff7ab98cdad0955f5c87.exe
                                  Filesize

                                  700KB

                                  MD5

                                  97f1152d4d5d5a0167dc4b948221cbc2

                                  SHA1

                                  f053ef59d29b7a7db43269bc2d4e66720a0deea0

                                  SHA256

                                  4d2cac113e243d728e7d4ffb37ccca9bf1fbc96a7381ff7ab98cdad0955f5c87

                                  SHA512

                                  ef8133995dbea229d3a8134b00bce0cca716863742cb8beae7361cea69cd7fdfa7d9d2161fb85763cb4b2306111f03e54d81b628360d80268a90f76e5962a25b

                                  Download Submit

                                • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe
                                  Filesize

                                  244KB

                                  MD5

                                  a6d71c7aad5ca942f7bec9203077982e

                                  SHA1

                                  e6373b1fa7244272dca1ab1ffa6d9f4db12e2d63

                                  SHA256

                                  000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9

                                  SHA512

                                  529cdab3691ebe5270a42abba95a61eadf0d58bc38089aab084dd125fad2d1ccd260ae7440a93bfa0b51762521818168aca02dfe7d16153f11da87ebcd520430

                                  Download Submit

                                • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Generic-021e563e197adb919596fd3f6ab0b6c58615506287574504ef26fc0536df9a2c.exe
                                  Filesize

                                  166KB

                                  MD5

                                  f71627946236be60b9d37d1b0864df0d

                                  SHA1

                                  820d02f1620abb69fe549f28d6b709594f706934

                                  SHA256

                                  021e563e197adb919596fd3f6ab0b6c58615506287574504ef26fc0536df9a2c

                                  SHA512

                                  598732b27d1cf7117462756cdad11968f302bb07bbb209585b4aa0ece2adef444d09de0e729c4777fa163cf07291bfb88afc3c15b505929a7e057b454de22316

                                  Download Submit

                                • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Generic-c21cf0ef3e5c699150f2804de3360459b1da2c3613fc0c4390d0148e6146be07.exe
                                  Filesize

                                  4.1MB

                                  MD5

                                  bc5e7222161a863eeb51a73a4612bd0c

                                  SHA1

                                  c97e0ae4ff536bf2c4f110d0a4e211d9e160501d

                                  SHA256

                                  c21cf0ef3e5c699150f2804de3360459b1da2c3613fc0c4390d0148e6146be07

                                  SHA512

                                  2ecb08e49cc223ccf6afa502a1fba1d8e28e5f67481be62ca8b5925f0402216389d8ab19e7a7b9aaf8a6d67503612c963f291fea7a9c6f704f9cf7d61c879646

                                  Download Submit

                                • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-a5c8f955e10e33d50296f1ab1d5a78324973a5fcf1182035bf05667bd894af0d.exe
                                  Filesize

                                  1.8MB

                                  MD5

                                  95963c1315d495929e29e5e748cdc719

                                  SHA1

                                  3e9bd72a036d2cfa545117d111adfb7bb4246fad

                                  SHA256

                                  a5c8f955e10e33d50296f1ab1d5a78324973a5fcf1182035bf05667bd894af0d

                                  SHA512

                                  56073dbf3094cf53b7d70a09747ce730bcaf9aed38b30fac25c0984690224be11c83237e9c8e629efd40672c8b20676399dbf10e8b19fd37a53b697d65bd6037

                                  Download Submit

                                • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Stop.gen-12089752956de5e082e810a5d4eb4ffe97a92112cd83244f2269fff76abae196.exe
                                  Filesize

                                  693KB

                                  MD5

                                  67cb0de159aec506bde6957e45292b01

                                  SHA1

                                  069622c77628b72ec60a8fc8f783f43076cb83f8

                                  SHA256

                                  12089752956de5e082e810a5d4eb4ffe97a92112cd83244f2269fff76abae196

                                  SHA512

                                  8f1fc077aa2b6fdad1faa9189253389caca2a3f8dd87e8618a22bf3cbcede757cfb387af3994b9ab919c407721e398241576e7ed3d3e241325cf23e5ebe65f4c

                                  Download Submit

                                • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Stop.gen-30f5851e3da28ff1b585a286a5a989406b37060ea32bd68acf7769da51edd767.exe
                                  Filesize

                                  14.3MB

                                  MD5

                                  98648bbc68a9bd40908e86c6ef0071c1

                                  SHA1

                                  0293e6a0093bbaf0f39b47190353b988caf4947b

                                  SHA256

                                  30f5851e3da28ff1b585a286a5a989406b37060ea32bd68acf7769da51edd767

                                  SHA512

                                  023a742ed066819d7dfa1f37baee4384146a94df8211430c6bcdb28ae208f0027e986633fbce632bd6ab47ca692cd52e1aaf450195d44813dc5cb85a5faf6662

                                  Download Submit

                                • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Stop.gen-d0926befd5cd69120ff95338e14e74da1ce19291a8c0ee35a852304731bc6560.exe
                                  Filesize

                                  875KB

                                  MD5

                                  64ef237c8ec59df2732b191b54e8e4d9

                                  SHA1

                                  4d3a1cde375d47b3fe7d74a9934a7ea5d3d3e9eb

                                  SHA256

                                  d0926befd5cd69120ff95338e14e74da1ce19291a8c0ee35a852304731bc6560

                                  SHA512

                                  9ea1352da3229a3b0ef68c3d30da1eb4fc35ea7c659d25f32532edef482143ce5904aa9bf08919d29779c92021407ba8b21d9816e187284f9a6d26196ba86024

                                  Download Submit

                                • C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Stop.gen-e9d4af41d7c3f1f49d3b78f949c23320af1f89199dab79da3eecbac6c5fe02b5.exe
                                  Filesize

                                  900KB

                                  MD5

                                  37c6edc652f5cab6f37f9985b450cb55

                                  SHA1

                                  5225d4915cf979c7d6bb51ac9172af1f5f65f3bf

                                  SHA256

                                  e9d4af41d7c3f1f49d3b78f949c23320af1f89199dab79da3eecbac6c5fe02b5

                                  SHA512

                                  c23af4b0ebf494620f9e6bf3861f633a1f499fbdbc3ae9ffd82e0b1116bcb8f169ca3b1b897469a9eb3f80eba2ccd7394519d4f023ec5fa49b29bbbb6226d61a

                                  Download Submit

                                • C:\Users\Admin\Desktop\Encrypted-----------.som
                                  Filesize

                                  350KB

                                  MD5

                                  0e1491df58568d33a5b3e0b851569869

                                  SHA1

                                  dd6574747ae096f1237f0b9e97b2ffeeacc4d2c5

                                  SHA256

                                  53524ef716f4eef3948036896a52b96a536214287c76555461bb2203bdcdab47

                                  SHA512

                                  7f251998091093914d5deb42a283361c83f56a7b3366ad1acb7fca44966b1b5671415b9ab71ce3d51201c6e06efd701ad17edc059978b221e5180170cb9d2e80

                                  Download Submit

                                • C:\Users\Admin\Desktop\Encrypted----------.som
                                  Filesize

                                  10KB

                                  MD5

                                  2bad1ceab30b97c27cd18228a117e239

                                  SHA1

                                  4128c35ca3566bb2e01d9a2f322c3be1c3220d37

                                  SHA256

                                  ed2cae6c0c173001f3bffadfbf3c10cf1dafff4ad0e270f3bfa13b4d6abca244

                                  SHA512

                                  ad11c1209e1fcbc27b20f42f549f350fc003497564beb71e1982d3c123a1c979df394fad73fa6a18e5c6e3b462ddd63a02e4def64940efe0d4daf5be92ab9a58

                                  Download Submit

                                • C:\Users\Admin\Desktop\Encrypted---------.som
                                  Filesize

                                  533KB

                                  MD5

                                  c069dc352ae25426adcedac87644fd8f

                                  SHA1

                                  c5d0813c919c99bcb09d0af8dfa1a2c007a081da

                                  SHA256

                                  c9637c2d353bfe6f6e55a6ae01782caa8fe83ef248228007ee12bc7a297379c9

                                  SHA512

                                  af7d04ab7d98f3f3cdad86f12ecca4d6abb36e1dcd048fd884265a56125fb324d512bd10ef269886630935ee7df20888855a142e4a1a1f5a8696ab42713e55ac

                                  Download Submit

                                • C:\Users\Admin\Desktop\Encrypted--------.som
                                  Filesize

                                  13KB

                                  MD5

                                  3a0b0f2afd73d6816343e71488adf3ed

                                  SHA1

                                  6af38b3945f7a08c970facdd4a19a50f8be10597

                                  SHA256

                                  f3d4137b9215203d5f2d4d4f5f7dbeeb65caaffebe2cab9028df29bb16799aec

                                  SHA512

                                  1b26e763a76994fbe4c29e92430815975fb380f57408ec006c27fcea14bb998afa331a529fa9f051ea7c28af4db86f4dcd635f1f5915b1208b12e226eaa58675

                                  Download Submit

                                • C:\Users\Admin\Desktop\Encrypted-------.som
                                  Filesize

                                  600KB

                                  MD5

                                  14dad6353afcd59a64bdaf7f069fb8df

                                  SHA1

                                  53ba34886c5a89d06e07725792697fd3ed40febe

                                  SHA256

                                  76a8fb873fe8c6963e82593dab555bea1c87a840fddd0edef34ed393b7e56fc0

                                  SHA512

                                  0818fd024ef89440858bea7eef0bcccc08b368a4804769d41ac096369208d58f43b9415d83bf73a1a6c8c9a8284412b447087151e3ffe3de912f2de359373301

                                  Download Submit

                                • C:\Users\Admin\Pictures\AddGrant.pcx.avos2
                                  Filesize

                                  184KB

                                  MD5

                                  78f9b1a6db2f1b90c0a8b6e7f561350a

                                  SHA1

                                  60a346fc846cdca7f524a4ae9f677c0958ec7ee4

                                  SHA256

                                  435065c42ed334eb7ad98e69140edc700a8aaf6c27e2584e94104433339259c2

                                  SHA512

                                  86af5463f2f9c82df817d872a8b7775ee6efd269ac00700639c815e61e8edb2999a14506a26dfec2084cece29fe78ed7aa261215673c1a5236ca0182f7715591

                                  Download Submit

                                • C:\Users\Admin\Pictures\ApproveOpen.tif.avos2
                                  Filesize

                                  175KB

                                  MD5

                                  3d59d10a293711646ca3466971d0f306

                                  SHA1

                                  d605f56ba3e828cd3c8f665c3bb4764b24ce239a

                                  SHA256

                                  37968f2b38205679ab1a3193cfed9df996e73d02991c2d3e1b63c0a1b5174a3f

                                  SHA512

                                  a9328e54a001377cf12ed98bc1e169443ff14ec4ffbedc4e5f0b07c4a79efac745e2f7bf9455d92669d6e468463c3f7b6a0beb7be6d6ce8b040530a701038c22

                                  Download Submit

                                • C:\Windows\win.ini
                                  Filesize

                                  6KB

                                  MD5

                                  7bd45b4353c2eb076cb800af6794c74c

                                  SHA1

                                  8b43110b86ab342a3a50fba1101af23e58afb81f

                                  SHA256

                                  46768646ca5a5742bd66e10f807c7d85c06d67f34d01e1da68c0ed585e81c74d

                                  SHA512

                                  a41d292080b01fa6884140f0aab6a9a45310ff8eccf850715d5b373c8aeaf0a57ed060e12475621372876ccf05d64278f89ec9b458d3c1af4cc60b5999f735f3

                                  Download Submit

                                • F:\AUTORUN.INF
                                  Filesize

                                  145B

                                  MD5

                                  ca13857b2fd3895a39f09d9dde3cca97

                                  SHA1

                                  8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

                                  SHA256

                                  cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

                                  SHA512

                                  55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

                                  Download Submit

                                • \??\c:\users\admin\desktop\00483\heur-trojan-ransom.win32.crypmodadv.vho-d629d70868620681a7bd1e3bc49dfce91ac0bb4cd64a6358bcdeef1acf0d3a93.exe
                                  Filesize

                                  1.8MB

                                  MD5

                                  c380626d5678779650426785725236cb

                                  SHA1

                                  fdd6b743d71b1f84f957e9132457a89d372c2998

                                  SHA256

                                  d629d70868620681a7bd1e3bc49dfce91ac0bb4cd64a6358bcdeef1acf0d3a93

                                  SHA512

                                  dc6f3fbfbc941e576d3bc186f01d496d4845e65ec7c44dec27af523748f033c8bdbab5ae6143f374440650ec0b6114a5fd167865bedba8e1d3565eada2c8b71c

                                  Download Submit

                                • memory/1128-184-0x0000000000100000-0x0000000000108000-memory.dmp

                                  Filesize

                                  32KB

                                  Download

                                • memory/1168-219-0x0000000000420000-0x00000000004B0000-memory.dmp

                                  Filesize

                                  576KB

                                  Download

                                • memory/1168-225-0x0000000004D60000-0x0000000004D6A000-memory.dmp

                                  Filesize

                                  40KB

                                  Download

                                • memory/1400-157-0x000001EFBA530000-0x000001EFBA531000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1400-151-0x000001EFBA530000-0x000001EFBA531000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1400-158-0x000001EFBA530000-0x000001EFBA531000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1400-156-0x000001EFBA530000-0x000001EFBA531000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1400-152-0x000001EFBA530000-0x000001EFBA531000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1400-162-0x000001EFBA530000-0x000001EFBA531000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1400-160-0x000001EFBA530000-0x000001EFBA531000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1400-161-0x000001EFBA530000-0x000001EFBA531000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1400-159-0x000001EFBA530000-0x000001EFBA531000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1400-150-0x000001EFBA530000-0x000001EFBA531000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1732-218-0x0000000005020000-0x00000000050B2000-memory.dmp

                                  Filesize

                                  584KB

                                  Download

                                • memory/1732-216-0x00000000055D0000-0x0000000005B74000-memory.dmp

                                  Filesize

                                  5.6MB

                                  Download

                                • memory/1732-206-0x00000000006B0000-0x00000000006F0000-memory.dmp

                                  Filesize

                                  256KB

                                  Download

                                • memory/2096-1017-0x0000000000C10000-0x0000000000C27000-memory.dmp

                                  Filesize

                                  92KB

                                  Download

                                • memory/2096-1068-0x0000000000400000-0x0000000000B4B000-memory.dmp

                                  Filesize

                                  7.3MB

                                  Download

                                • memory/2096-1016-0x0000000000400000-0x0000000000B4B000-memory.dmp

                                  Filesize

                                  7.3MB

                                  Download

                                • memory/2448-1105-0x0000000000400000-0x00000000004B3000-memory.dmp

                                  Filesize

                                  716KB

                                  Download

                                • memory/2448-2358-0x0000000000400000-0x00000000004B3000-memory.dmp

                                  Filesize

                                  716KB

                                  Download

                                • memory/2448-2383-0x0000000000400000-0x00000000004B3000-memory.dmp

                                  Filesize

                                  716KB

                                  Download

                                • memory/2772-209-0x0000000000400000-0x0000000000409000-memory.dmp

                                  Filesize

                                  36KB

                                  Download

                                • memory/2772-241-0x0000000000400000-0x0000000000409000-memory.dmp

                                  Filesize

                                  36KB

                                  Download

                                • memory/2964-1022-0x0000000000400000-0x0000000000409000-memory.dmp

                                  Filesize

                                  36KB

                                  Download

                                • memory/2964-237-0x0000000000400000-0x0000000000409000-memory.dmp

                                  Filesize

                                  36KB

                                  Download

                                • memory/3084-2356-0x0000000000400000-0x00000000005BB000-memory.dmp

                                  Filesize

                                  1.7MB

                                  Download

                                • memory/3084-214-0x0000000000400000-0x00000000005BB000-memory.dmp

                                  Filesize

                                  1.7MB

                                  Download

                                • memory/3084-1102-0x0000000000400000-0x00000000005BB000-memory.dmp

                                  Filesize

                                  1.7MB

                                  Download

                                • memory/4076-239-0x0000000000400000-0x0000000000409000-memory.dmp

                                  Filesize

                                  36KB

                                  Download

                                • memory/4076-1023-0x0000000000400000-0x0000000000409000-memory.dmp

                                  Filesize

                                  36KB

                                  Download

                                • memory/4396-201-0x000000001BF30000-0x000000001BFCC000-memory.dmp

                                  Filesize

                                  624KB

                                  Download

                                • memory/4396-217-0x0000000001850000-0x0000000001858000-memory.dmp

                                  Filesize

                                  32KB

                                  Download

                                • memory/4396-200-0x000000001C510000-0x000000001C9DE000-memory.dmp

                                  Filesize

                                  4.8MB

                                  Download

                                • memory/4716-143-0x000001DD72F70000-0x000001DD72F92000-memory.dmp

                                  Filesize

                                  136KB

                                  Download

                                • memory/4716-144-0x000001DD73680000-0x000001DD736C4000-memory.dmp

                                  Filesize

                                  272KB

                                  Download

                                • memory/4716-145-0x000001DD73750000-0x000001DD737C6000-memory.dmp

                                  Filesize

                                  472KB

                                  Download

                                • memory/4716-147-0x000001DD73020000-0x000001DD7323C000-memory.dmp

                                  Filesize

                                  2.1MB

                                  Download

                                • memory/4856-236-0x0000000000400000-0x0000000000409000-memory.dmp

                                  Filesize

                                  36KB

                                  Download

                                • memory/4856-215-0x0000000000400000-0x0000000000409000-memory.dmp

                                  Filesize

                                  36KB

                                  Download

                                • memory/5992-1003-0x0000000000790000-0x00000000007B7000-memory.dmp

                                  Filesize

                                  156KB

                                  Download

                                • memory/5992-1001-0x0000000000790000-0x00000000007B7000-memory.dmp

                                  Filesize

                                  156KB

                                  Download

                                • memory/7068-1005-0x0000000004DE0000-0x0000000004E16000-memory.dmp

                                  Filesize

                                  216KB

                                  Download

                                • memory/7068-1092-0x00000000063D0000-0x000000000641C000-memory.dmp

                                  Filesize

                                  304KB

                                  Download

                                • memory/7068-1010-0x0000000005500000-0x0000000005B28000-memory.dmp

                                  Filesize

                                  6.2MB

                                  Download

                                • memory/7068-1087-0x0000000006380000-0x000000000639E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/7068-1205-0x00000000068C0000-0x00000000068DA000-memory.dmp

                                  Filesize

                                  104KB

                                  Download

                                • memory/7068-1204-0x00000000079A0000-0x000000000801A000-memory.dmp

                                  Filesize

                                  6.5MB

                                  Download

                                • memory/7068-1055-0x0000000005F10000-0x0000000006264000-memory.dmp

                                  Filesize

                                  3.3MB

                                  Download

                                • memory/7068-1047-0x0000000005E10000-0x0000000005E76000-memory.dmp

                                  Filesize

                                  408KB

                                  Download

                                • memory/7068-1048-0x0000000005EA0000-0x0000000005F06000-memory.dmp

                                  Filesize

                                  408KB

                                  Download

                                • memory/7068-1046-0x0000000005D60000-0x0000000005D82000-memory.dmp

                                  Filesize

                                  136KB

                                  Download