crimsonrat | a513460aca621b82a0f03d4f11297ba49e2c026a8ccb025bb838778fbd8cbf51

Analysis

max time kernel
63s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00449.7z
Size

144.2MB
MD5

f206ad177f3f8ccc84509a938107200b
SHA1

45c789c3ac7cdfc34e38e47198bf55ea49ec2dcd
SHA256

a513460aca621b82a0f03d4f11297ba49e2c026a8ccb025bb838778fbd8cbf51
SHA512

f79b83f6ab22cc9bac0486f68f3a9dbde4557baf69d76a99ada3732e4c2d4ba27baf6aaab9e21c555e4b78ff6915df9e21fc5269425554669a00baa9c5439a91
SSDEEP

3145728:uVYBVf+gyzv13IWFhqr0Goa6s9GS+00E5bxQxFKoJY05+XVh7RAjI0j:0YbmBv13IWyr159Z0ImxFKoXaNRAjT

Score

10^/10

crimsonrat discovery evasion exploit ransomware rat upx

Malware Config

Extracted

Family

crimsonrat

134.119.181.142

10.5.26.108

Extracted

Path

C:\Program Files\Common Files\microsoft shared\ink\ar-SA\!! READ ME !!.txt

Ransom Note

Good day. All your files are encrypted. For decryption contact us. Write here [email protected] reserve [email protected] jabber [email protected] We also inform that your databases, ftp server and file server were downloaded by us to our servers. If we do not receive a message from you within three days, we regard this as a refusal to negotiate. Check our platform: http://cuba4mp6ximo2zlo.onion/ * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Do not stop process of encryption, because partial encryption cannot be decrypted.

Emails

[email protected]

URLs

http://cuba4mp6ximo2zlo.onion/

Signatures

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
944	takeown.exe
1068	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Encoder.gen-3798b488cc3188ae431d6583c93f86b788f7f1e719314b0e8079269284ecf87a.exe

Executes dropped EXE 18 IoCs

pid	Process
4684	HEUR-Trojan-Ransom.MSIL.Blocker.gen-26b2619f3a1eae7a181a64e22180e37ba481de6547d31ad92fd6f1ddbbe521bf.exe
2116	HEUR-Trojan-Ransom.MSIL.Blocker.gen-2976fe148052984b7b22f2c0290b0f0aee295321306105c9be4fd028927dab75.exe
4564	HEUR-Trojan-Ransom.MSIL.Blocker.gen-76d2ccdcfa4695341195307272f60a18bfcb683a7fb4fc2bcb34086621150d7b.exe
5032	HEUR-Trojan-Ransom.MSIL.Blocker.gen-95456ba2f4fbf03f0c912d8f9978f9959346131f739d2d5fb75e4cd6a7afcbb9.exe
3928	HEUR-Trojan-Ransom.MSIL.Blocker.gen-c8554866c99c83f0bda622c57e7a459ee12aaeb16ea28d1149aab12d899b911c.exe
1092	HEUR-Trojan-Ransom.MSIL.Blocker.gen-cb76570a28c5c36850332fbbca4571adf1dbc6e2fed7e5d5b659ffab770bcf57.exe
1036	HEUR-Trojan-Ransom.MSIL.Blocker.gen-cd281fb8181ad6dc389ea9de8c1493ce8e86ba7b62fa297dd74bf9fee6e3bc80.exe
2800	HEUR-Trojan-Ransom.MSIL.Blocker.gen-e0af0ba97c039b19e152c0369e06a749ea673386360fbd6b66d9dcf2c682ed7f.exe
2476	HEUR-Trojan-Ransom.MSIL.Blocker.gen-fa7930c2fcf1e0114a5106d283955356e18e1167e88a96c8e37ed595589b558e.exe
860	HEUR-Trojan-Ransom.MSIL.Encoder.gen-3798b488cc3188ae431d6583c93f86b788f7f1e719314b0e8079269284ecf87a.exe
4724	HEUR-Trojan-Ransom.MSIL.Encoder.gen-3d3feb748d88cf5850d7e589c78fbfa241912f8c6b80be65a5617209823e27fe.exe
4452	HEUR-Trojan-Ransom.MSIL.Foreign.gen-b6a4677bee8b8e6229f1eeb1fcef14c2cb9da7d9ffcc320379aa5dce0cf05b44.exe
3132	HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-2890a66647369ceb4bfde150713829ab4b7d6c8d2c248efd3401f72aa732a14d.exe
4136	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-1edfebb99e97cb019df003ecc52fad35c3dbc65021ef2b0df0c28ef53deb2a91.exe
1500	HEUR-Trojan-Ransom.Win32.Encoder.gen-b282a8c633e080c2cd0f7edd0f744ad367e169f38b7bdacc04fc04400bb8f819.exe
1808	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-59936b168ddf053a0c41b90bf59d38de120405050ca4fdd6ce95999607d635aa.exe
608	HEUR-Trojan-Ransom.Win32.Gen.gen-d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f.exe
2244	HEUR-Trojan-Ransom.Win32.Generic-40885989fcc40834fb10ebd49d8c65abb34f736ef94c7f18d169cca5370399c8.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
944	takeown.exe
1068	icacls.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
55	drive.google.com
54	drive.google.com

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023ca1-232.dat	upx
behavioral1/memory/4136-233-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/files/0x000b000000023cf9-249.dat	upx
behavioral1/memory/4136-301-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/files/0x0007000000023cb8-1268.dat	upx

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\7-zip.dll.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-1edfebb99e97cb019df003ecc52fad35c3dbc65021ef2b0df0c28ef53deb2a91.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-1edfebb99e97cb019df003ecc52fad35c3dbc65021ef2b0df0c28ef53deb2a91.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-1edfebb99e97cb019df003ecc52fad35c3dbc65021ef2b0df0c28ef53deb2a91.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-1edfebb99e97cb019df003ecc52fad35c3dbc65021ef2b0df0c28ef53deb2a91.exe
File created	C:\Program Files\7-Zip\7z.dll.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-1edfebb99e97cb019df003ecc52fad35c3dbc65021ef2b0df0c28ef53deb2a91.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-1edfebb99e97cb019df003ecc52fad35c3dbc65021ef2b0df0c28ef53deb2a91.exe
File created	C:\Program Files\7-Zip\7-zip.chm.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-1edfebb99e97cb019df003ecc52fad35c3dbc65021ef2b0df0c28ef53deb2a91.exe
File created	C:\Program Files\7-Zip\7-zip.dll	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-1edfebb99e97cb019df003ecc52fad35c3dbc65021ef2b0df0c28ef53deb2a91.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2336	4724	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-26b2619f3a1eae7a181a64e22180e37ba481de6547d31ad92fd6f1ddbbe521bf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-cb76570a28c5c36850332fbbca4571adf1dbc6e2fed7e5d5b659ffab770bcf57.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Encoder.gen-3d3feb748d88cf5850d7e589c78fbfa241912f8c6b80be65a5617209823e27fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-59936b168ddf053a0c41b90bf59d38de120405050ca4fdd6ce95999607d635aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Encoder.gen-b282a8c633e080c2cd0f7edd0f744ad367e169f38b7bdacc04fc04400bb8f819.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Gen.gen-d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1316	powershell.exe
1316	powershell.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3716	7zFM.exe
1828	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeRestorePrivilege	3716	7zFM.exe
Token: 35	3716	7zFM.exe
Token: SeSecurityPrivilege	3716	7zFM.exe
Token: SeDebugPrivilege	4784	taskmgr.exe
Token: SeSystemProfilePrivilege	4784	taskmgr.exe
Token: SeCreateGlobalPrivilege	4784	taskmgr.exe
Token: SeDebugPrivilege	1828	taskmgr.exe
Token: SeSystemProfilePrivilege	1828	taskmgr.exe
Token: SeCreateGlobalPrivilege	1828	taskmgr.exe
Token: 33	4784	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4784	taskmgr.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	2800	HEUR-Trojan-Ransom.MSIL.Blocker.gen-e0af0ba97c039b19e152c0369e06a749ea673386360fbd6b66d9dcf2c682ed7f.exe
Token: SeDebugPrivilege	4724	HEUR-Trojan-Ransom.MSIL.Encoder.gen-3d3feb748d88cf5850d7e589c78fbfa241912f8c6b80be65a5617209823e27fe.exe
Token: SeTakeOwnershipPrivilege	944	takeown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3716	7zFM.exe
3716	7zFM.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
4784	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 1828	4784	taskmgr.exe	101
PID 4784 wrote to memory of 1828	4784	taskmgr.exe	101
PID 1316 wrote to memory of 3160	1316	powershell.exe	108
PID 1316 wrote to memory of 3160	1316	powershell.exe	108
PID 3160 wrote to memory of 4684	3160	cmd.exe	109
PID 3160 wrote to memory of 4684	3160	cmd.exe	109
PID 3160 wrote to memory of 4684	3160	cmd.exe	109
PID 3160 wrote to memory of 2116	3160	cmd.exe	110
PID 3160 wrote to memory of 2116	3160	cmd.exe	110
PID 3160 wrote to memory of 4564	3160	cmd.exe	111
PID 3160 wrote to memory of 4564	3160	cmd.exe	111
PID 3160 wrote to memory of 5032	3160	cmd.exe	112
PID 3160 wrote to memory of 5032	3160	cmd.exe	112
PID 3160 wrote to memory of 3928	3160	cmd.exe	113
PID 3160 wrote to memory of 3928	3160	cmd.exe	113
PID 3160 wrote to memory of 1092	3160	cmd.exe	114
PID 3160 wrote to memory of 1092	3160	cmd.exe	114
PID 3160 wrote to memory of 1092	3160	cmd.exe	114
PID 3160 wrote to memory of 1036	3160	cmd.exe	115
PID 3160 wrote to memory of 1036	3160	cmd.exe	115
PID 3160 wrote to memory of 2800	3160	cmd.exe	116
PID 3160 wrote to memory of 2800	3160	cmd.exe	116
PID 3160 wrote to memory of 2476	3160	cmd.exe	117
PID 3160 wrote to memory of 2476	3160	cmd.exe	117
PID 3160 wrote to memory of 860	3160	cmd.exe	119
PID 3160 wrote to memory of 860	3160	cmd.exe	119
PID 3160 wrote to memory of 4724	3160	cmd.exe	121
PID 3160 wrote to memory of 4724	3160	cmd.exe	121
PID 3160 wrote to memory of 4724	3160	cmd.exe	121
PID 860 wrote to memory of 5028	860	HEUR-Trojan-Ransom.MSIL.Encoder.gen-3798b488cc3188ae431d6583c93f86b788f7f1e719314b0e8079269284ecf87a.exe	125
PID 860 wrote to memory of 5028	860	HEUR-Trojan-Ransom.MSIL.Encoder.gen-3798b488cc3188ae431d6583c93f86b788f7f1e719314b0e8079269284ecf87a.exe	125
PID 3160 wrote to memory of 4452	3160	cmd.exe	123
PID 3160 wrote to memory of 4452	3160	cmd.exe	123
PID 3160 wrote to memory of 3132	3160	cmd.exe	127
PID 3160 wrote to memory of 3132	3160	cmd.exe	127
PID 3160 wrote to memory of 4136	3160	cmd.exe	128
PID 3160 wrote to memory of 4136	3160	cmd.exe	128
PID 5028 wrote to memory of 944	5028	cmd.exe	130
PID 5028 wrote to memory of 944	5028	cmd.exe	130
PID 3160 wrote to memory of 1500	3160	cmd.exe	132
PID 3160 wrote to memory of 1500	3160	cmd.exe	132
PID 3160 wrote to memory of 1500	3160	cmd.exe	132
PID 3160 wrote to memory of 1808	3160	cmd.exe	133
PID 3160 wrote to memory of 1808	3160	cmd.exe	133
PID 3160 wrote to memory of 1808	3160	cmd.exe	133
PID 5028 wrote to memory of 1068	5028	cmd.exe	135
PID 5028 wrote to memory of 1068	5028	cmd.exe	135
PID 3160 wrote to memory of 608	3160	cmd.exe	136
PID 3160 wrote to memory of 608	3160	cmd.exe	136
PID 3160 wrote to memory of 608	3160	cmd.exe	136
PID 3160 wrote to memory of 2244	3160	cmd.exe	137
PID 3160 wrote to memory of 2244	3160	cmd.exe	137
PID 3160 wrote to memory of 2244	3160	cmd.exe	137

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00449.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3716

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Blocker.gen-26b2619f3a1eae7a181a64e22180e37ba481de6547d31ad92fd6f1ddbbe521bf.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-26b2619f3a1eae7a181a64e22180e37ba481de6547d31ad92fd6f1ddbbe521bf.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4684
- - C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Blocker.gen-2976fe148052984b7b22f2c0290b0f0aee295321306105c9be4fd028927dab75.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-2976fe148052984b7b22f2c0290b0f0aee295321306105c9be4fd028927dab75.exe
    3⤵
    - Executes dropped EXE
    PID:2116
- - C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Blocker.gen-76d2ccdcfa4695341195307272f60a18bfcb683a7fb4fc2bcb34086621150d7b.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-76d2ccdcfa4695341195307272f60a18bfcb683a7fb4fc2bcb34086621150d7b.exe
    3⤵
    - Executes dropped EXE
    PID:4564
- - C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Blocker.gen-95456ba2f4fbf03f0c912d8f9978f9959346131f739d2d5fb75e4cd6a7afcbb9.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-95456ba2f4fbf03f0c912d8f9978f9959346131f739d2d5fb75e4cd6a7afcbb9.exe
    3⤵
    - Executes dropped EXE
    PID:5032
- - C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c8554866c99c83f0bda622c57e7a459ee12aaeb16ea28d1149aab12d899b911c.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-c8554866c99c83f0bda622c57e7a459ee12aaeb16ea28d1149aab12d899b911c.exe
    3⤵
    - Executes dropped EXE
    PID:3928
- - C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Blocker.gen-cb76570a28c5c36850332fbbca4571adf1dbc6e2fed7e5d5b659ffab770bcf57.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-cb76570a28c5c36850332fbbca4571adf1dbc6e2fed7e5d5b659ffab770bcf57.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1092
- - C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Blocker.gen-cd281fb8181ad6dc389ea9de8c1493ce8e86ba7b62fa297dd74bf9fee6e3bc80.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-cd281fb8181ad6dc389ea9de8c1493ce8e86ba7b62fa297dd74bf9fee6e3bc80.exe
    3⤵
    - Executes dropped EXE
    PID:1036
- - C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Blocker.gen-e0af0ba97c039b19e152c0369e06a749ea673386360fbd6b66d9dcf2c682ed7f.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-e0af0ba97c039b19e152c0369e06a749ea673386360fbd6b66d9dcf2c682ed7f.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- - C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Blocker.gen-fa7930c2fcf1e0114a5106d283955356e18e1167e88a96c8e37ed595589b558e.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-fa7930c2fcf1e0114a5106d283955356e18e1167e88a96c8e37ed595589b558e.exe
    3⤵
    - Executes dropped EXE
    PID:2476
- - C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Encoder.gen-3798b488cc3188ae431d6583c93f86b788f7f1e719314b0e8079269284ecf87a.exe
    HEUR-Trojan-Ransom.MSIL.Encoder.gen-3798b488cc3188ae431d6583c93f86b788f7f1e719314b0e8079269284ecf87a.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Windows\system32\takeown.exe
        
        takeown /f C:\Windows\System32
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\System32 /grant "Admin:F"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1068
- - C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Encoder.gen-3d3feb748d88cf5850d7e589c78fbfa241912f8c6b80be65a5617209823e27fe.exe
    HEUR-Trojan-Ransom.MSIL.Encoder.gen-3d3feb748d88cf5850d7e589c78fbfa241912f8c6b80be65a5617209823e27fe.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1760
      4⤵
      Program crash
      PID:2336
- - C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Foreign.gen-b6a4677bee8b8e6229f1eeb1fcef14c2cb9da7d9ffcc320379aa5dce0cf05b44.exe
    HEUR-Trojan-Ransom.MSIL.Foreign.gen-b6a4677bee8b8e6229f1eeb1fcef14c2cb9da7d9ffcc320379aa5dce0cf05b44.exe
    3⤵
    - Executes dropped EXE
    PID:4452
- - C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-2890a66647369ceb4bfde150713829ab4b7d6c8d2c248efd3401f72aa732a14d.exe
    HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-2890a66647369ceb4bfde150713829ab4b7d6c8d2c248efd3401f72aa732a14d.exe
    3⤵
    - Executes dropped EXE
    PID:3132
- - C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-1edfebb99e97cb019df003ecc52fad35c3dbc65021ef2b0df0c28ef53deb2a91.exe
    HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-1edfebb99e97cb019df003ecc52fad35c3dbc65021ef2b0df0c28ef53deb2a91.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4136
- - C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.Win32.Encoder.gen-b282a8c633e080c2cd0f7edd0f744ad367e169f38b7bdacc04fc04400bb8f819.exe
    HEUR-Trojan-Ransom.Win32.Encoder.gen-b282a8c633e080c2cd0f7edd0f744ad367e169f38b7bdacc04fc04400bb8f819.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1500
- - C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-59936b168ddf053a0c41b90bf59d38de120405050ca4fdd6ce95999607d635aa.exe
    HEUR-Trojan-Ransom.Win32.GandCrypt.gen-59936b168ddf053a0c41b90bf59d38de120405050ca4fdd6ce95999607d635aa.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1808
- - C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.Win32.Gen.gen-d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f.exe
    HEUR-Trojan-Ransom.Win32.Gen.gen-d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:608
- - C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.Win32.Generic-40885989fcc40834fb10ebd49d8c65abb34f736ef94c7f18d169cca5370399c8.exe
    HEUR-Trojan-Ransom.Win32.Generic-40885989fcc40834fb10ebd49d8c65abb34f736ef94c7f18d169cca5370399c8.exe
    3⤵
    - Executes dropped EXE
    PID:2244
  - - C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.Win32.Generic-40885989fcc40834fb10ebd49d8c65abb34f736ef94c7f18d169cca5370399c8.exe
      C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.Win32.Generic-40885989fcc40834fb10ebd49d8c65abb34f736ef94c7f18d169cca5370399c8.exe
      4⤵
      PID:2824
- - C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.Win32.Generic-482b160ee2e8d94fa6e4749f77e87da89c9658e7567459bc633d697430e3ad9a.exe
    HEUR-Trojan-Ransom.Win32.Generic-482b160ee2e8d94fa6e4749f77e87da89c9658e7567459bc633d697430e3ad9a.exe
    3⤵
    PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4724 -ip 4724
1⤵
PID:4236

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38b5855 /state1:0x41c64e6d
1⤵
PID:5620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.chm.exe

Filesize
1.8MB

MD5
43216eb36545318635bbc65e1a2bd595

SHA1
f03de99b207f11f9be409127d8941b566e2f08dc

SHA256
c45a731f054ccc1ec8e2e0462ed8d5475f45123d260dbbb218fded42a3cd877c

SHA512
763a9c16a93ac76ac44d6880819d9cd4ff7ad9b51819632a73797f2dd71fa7c8d6da00e1e278d755a4735e982ac9351ecd320de9d8fc474f188853d712720638

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\!! READ ME !!.txt

Filesize
636B

MD5
ce7070ae170d746f9113e0c15b3e8029

SHA1
dc076e4859357e910f994f20a66cc67d22122beb

SHA256
bd8db629a0551843c538272bda648fc6d1d6326f36a8e5e9005b4c635ba26ba1

SHA512
1924a8b3a5cb6862a757d300cee0e4bf9879d52a3b373bd8042611965173244fbf9df00cd5e4e9ab3981b875d67d93abb1e67d43a4e8806328afd8fd41e5adc4

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_clazk5hy.zry.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Blocker.gen-26b2619f3a1eae7a181a64e22180e37ba481de6547d31ad92fd6f1ddbbe521bf.exe

Filesize
607KB

MD5
e92aec37fe2abbea0c4604709fb24301

SHA1
d27906ed2b15ce6293ee2b38edb8c55b4aa9d2c9

SHA256
26b2619f3a1eae7a181a64e22180e37ba481de6547d31ad92fd6f1ddbbe521bf

SHA512
36c5e0c9b51a02bc1390602e2cff963b3db79fcc608c47d30b5eef5b2718a0be6bbcf5effb718e79dc6341797a42193e94bc046fc982c78c6220f286cce5c727

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Blocker.gen-2976fe148052984b7b22f2c0290b0f0aee295321306105c9be4fd028927dab75.exe

Filesize
6.1MB

MD5
b7c346284e15b3b942e816bc5486b96d

SHA1
5da6af939df14c50e7c1e823e9afe4b23280ee6d

SHA256
2976fe148052984b7b22f2c0290b0f0aee295321306105c9be4fd028927dab75

SHA512
ee91f49c7c56226c7942fa5b1a16d80e5d1e3f4f173225de67c0c964a8c2c9fdae0cc6ecab2c78b3c58be8ddbfe012302d31b0e011c1a216574963bb85f933cb

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Blocker.gen-76d2ccdcfa4695341195307272f60a18bfcb683a7fb4fc2bcb34086621150d7b.exe

Filesize
7.6MB

MD5
7b7bcf7dc5d1f4d0ea8f9c5d6a1b5868

SHA1
08b9fe0a7c0c96122ef74fbe0d300a72dac0130a

SHA256
76d2ccdcfa4695341195307272f60a18bfcb683a7fb4fc2bcb34086621150d7b

SHA512
2222ed59755dcc772b7477b4000f1c703e3b66d8c8ff96ec8ac897eca81ff8575eaaa463d87835d25426ff3653d42fc5d9a5f2fed61900ee575ccb21b4bfedeb

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Blocker.gen-95456ba2f4fbf03f0c912d8f9978f9959346131f739d2d5fb75e4cd6a7afcbb9.exe

Filesize
6.7MB

MD5
e46ff4268a5ff72e25c41ac9f853bc17

SHA1
ee60a3d07b0f739820a34719a34acf96c30a40ca

SHA256
95456ba2f4fbf03f0c912d8f9978f9959346131f739d2d5fb75e4cd6a7afcbb9

SHA512
f937dc014d1627bc9a056ccab984e85fa70b0be1ed4c981f8101e9b9c704768cbe864cc6d6d9bb3cc335d7b45e5782e63577aa93ea6dae8058e03ddd23dbb51e

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c8554866c99c83f0bda622c57e7a459ee12aaeb16ea28d1149aab12d899b911c.exe

Filesize
6.5MB

MD5
66d4cab9d3a22e231eb816d9fe289b5f

SHA1
8dd2497bc8d1edc7ac91eb2c79f869652f0966ad

SHA256
c8554866c99c83f0bda622c57e7a459ee12aaeb16ea28d1149aab12d899b911c

SHA512
11883aed0a25959531247bb67aa3f24bde1aad55e2311c9c7fb843589f7b1f551e93be201dfb3ba841930e5a33dbaf2ffb0a4e23dff6453efc9f2a502abfea37

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Blocker.gen-cb76570a28c5c36850332fbbca4571adf1dbc6e2fed7e5d5b659ffab770bcf57.exe

Filesize
373KB

MD5
bcc2479e0ff18df570807b51568382fb

SHA1
cbeeb27e3db2002c1d5c67b405b71cdfb6db0b01

SHA256
cb76570a28c5c36850332fbbca4571adf1dbc6e2fed7e5d5b659ffab770bcf57

SHA512
1adc1b5f5fbe598cae018bc38fa2632c31f6f4ef86291657c96924fc0f713616262af0dc76de65e7a7c8fce7f142e7e8e322c1099b63bb2f76afc525085074a8

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Blocker.gen-cd281fb8181ad6dc389ea9de8c1493ce8e86ba7b62fa297dd74bf9fee6e3bc80.exe

Filesize
12.2MB

MD5
a4bf6371052608e423ba58f5b5509d79

SHA1
2b52297c0c9f777ba9733153bb2779159886d7bc

SHA256
cd281fb8181ad6dc389ea9de8c1493ce8e86ba7b62fa297dd74bf9fee6e3bc80

SHA512
f185285a0c91b2c5c75ecf0a8c61e5554c53e5cca1d149e6b9952b375359c35545f89bf7751f59d8a39e95309c445d6cca9fdbf28ca725015113654d9838a6d5

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Blocker.gen-e0af0ba97c039b19e152c0369e06a749ea673386360fbd6b66d9dcf2c682ed7f.exe

Filesize
252KB

MD5
b11cfb2aca59cb3f4378966f84ab39c1

SHA1
c429f5c2ac1081aebd8939076a42ffdc25f036a6

SHA256
e0af0ba97c039b19e152c0369e06a749ea673386360fbd6b66d9dcf2c682ed7f

SHA512
ddbd83c10c146c2281a2a64cdf556254d5c749c76edd086e6857db57399a43562f6bb05648f1a064f55c5cacba112bc3c746f5a8985887ab5bc0dd5859772e93

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Blocker.gen-fa7930c2fcf1e0114a5106d283955356e18e1167e88a96c8e37ed595589b558e.exe

Filesize
6.1MB

MD5
c832cc6dbb574b82d0da67623f7eed56

SHA1
7276918d2aff1cbcb89545195fe991fb9fb21b08

SHA256
fa7930c2fcf1e0114a5106d283955356e18e1167e88a96c8e37ed595589b558e

SHA512
0b95f8a834b9a7f6eefc95ff5b6ace014b5f8bbb818e5bf58de65342be1755fe73f7c699a790762909ca9fd511232e38f2601ce0d5d576982cd1007cc9fce978

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Encoder.gen-3798b488cc3188ae431d6583c93f86b788f7f1e719314b0e8079269284ecf87a.exe

Filesize
329KB

MD5
73e4c81af87f1061d1d80dab15784c7c

SHA1
896638d18e206c8fd288390445c97d314c6ebfb3

SHA256
3798b488cc3188ae431d6583c93f86b788f7f1e719314b0e8079269284ecf87a

SHA512
c853dcb267ff716ae3eec5a7a3573c56e25e88564335ee6a287d3fefbbc7a5152e7239eaa47131f59bad0cd6f169402d07c548a86b05cd065c4c3b33808c5fc1

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Encoder.gen-3d3feb748d88cf5850d7e589c78fbfa241912f8c6b80be65a5617209823e27fe.exe

Filesize
74KB

MD5
d2df443016a1cf4dd70016eb802d7231

SHA1
d89ad7d8d2946a9f91593b17436120f08c97af96

SHA256
3d3feb748d88cf5850d7e589c78fbfa241912f8c6b80be65a5617209823e27fe

SHA512
8731464d47ee0d25c21516788cbdf753fb58642c45f880040d26b2a2bd212171beb61af332e9f8c6f98df1d99fc9983fa6a1e52e451578922847dda85f5072c3

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.Foreign.gen-b6a4677bee8b8e6229f1eeb1fcef14c2cb9da7d9ffcc320379aa5dce0cf05b44.exe

Filesize
10.4MB

MD5
0c5e2077f9771be3c7a4bad187206ecf

SHA1
b722f462ea0861b550dac5c875e75635fd5ec1d9

SHA256
b6a4677bee8b8e6229f1eeb1fcef14c2cb9da7d9ffcc320379aa5dce0cf05b44

SHA512
5af16436edb201a7a1f3e8050f99b5882b0f57e2f5845e73a5bf2af3048c408e17374c8f42e6c29e8bc2741492a73dbf695c031209af766ac6f4105cd354eae6

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-2890a66647369ceb4bfde150713829ab4b7d6c8d2c248efd3401f72aa732a14d.exe

Filesize
7.2MB

MD5
31371bfe7f6504d92d0d32bfc891c9eb

SHA1
1fcb81d7a3a66faa177842014113cee58c941352

SHA256
2890a66647369ceb4bfde150713829ab4b7d6c8d2c248efd3401f72aa732a14d

SHA512
18e6796f9f4dcd93a0f60feddc11820122af8cd0cf40b087b03f14b4340a824a4e7b68fad91dbc08a62e72f9a3a8d33de0e04a3638d3ba20a44a055d80f7896b

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-1edfebb99e97cb019df003ecc52fad35c3dbc65021ef2b0df0c28ef53deb2a91.exe

Filesize
1.8MB

MD5
023a07e19e8f78fe5037a823f60573ad

SHA1
43ccf2784fe07f561fb76760284e1910cb883d92

SHA256
1edfebb99e97cb019df003ecc52fad35c3dbc65021ef2b0df0c28ef53deb2a91

SHA512
c80184ff47f3c63467a398da126fb69303ced5caf8209204f3be1827223f961f35ff1b9251c51236905758dab5a444d5181d157b1d46963369db7d0938b180b8

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.Win32.Encoder.gen-b282a8c633e080c2cd0f7edd0f744ad367e169f38b7bdacc04fc04400bb8f819.exe

Filesize
3.1MB

MD5
9f9285d4c873d8eceb959f27165db430

SHA1
467e2d2be0d347dea9d512d8c7348844d2e7306d

SHA256
b282a8c633e080c2cd0f7edd0f744ad367e169f38b7bdacc04fc04400bb8f819

SHA512
e5d8d18e6289acd97950d4492fbb10ab824b66561114df8fda91a4f28614ab1e37a001bdda4dd1af401d39082ce384cf7d2444f7777a5776260a7d4b8f4f5449

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-59936b168ddf053a0c41b90bf59d38de120405050ca4fdd6ce95999607d635aa.exe

Filesize
1.1MB

MD5
6a1d109d53c5ab5e5a9e62d3f7be2aa5

SHA1
f5b5f89d7df596c567458df34247a2e4d11451d3

SHA256
59936b168ddf053a0c41b90bf59d38de120405050ca4fdd6ce95999607d635aa

SHA512
31fab5d41da019fe2078081a6c396dd27a0d262efb7349d59447df01818f163c1fd3261db6f0641e2f9caa3792ccabdf562d66a6720dd7c7da8efa0132675a0e

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-59936b168ddf053a0c41b90bf59d38de120405050ca4fdd6ce95999607d635aa.exe

Filesize
1.1MB

MD5
24543ede296cec93295f04c0d08677b1

SHA1
f138cfd0cfed45ce5d12bb8febb70d413664f926

SHA256
da7bef92c92e60533fda227b1ae6a0d58b30698e059167072f07e4415adde6c0

SHA512
51f3b62adc951a25361e6e560c56ce22db4b78cd1386051b0a953e9b7b2ba14782562c4753641c3cb380142f190cb44a3b12a60f4f96de781d5ab591e8b2347c

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.Win32.Gen.gen-d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f.exe

Filesize
666KB

MD5
989ae3d195203b323aa2b3adf04e9833

SHA1
31a45521bc672abcf64e50284ca5d4e6b3687dc8

SHA256
d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f

SHA512
e9d4e6295869f3a456c7ea2850c246d0c22afa65c2dd5161744ee5b3e29e44d9a2d758335f98001cdb348eaa51a71cd441b4ddc12c8d72509388657126e69305

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.Win32.Generic-40885989fcc40834fb10ebd49d8c65abb34f736ef94c7f18d169cca5370399c8.exe

Filesize
368KB

MD5
76b7a6a02760b32139335cf4aa6a745c

SHA1
339bdf5cdc99191438311b5c5a50c9f3dcaee21b

SHA256
40885989fcc40834fb10ebd49d8c65abb34f736ef94c7f18d169cca5370399c8

SHA512
cb9ccf335820385a4489b34d4a0467ea87928b7134544047f3c631845a4fca5dfa50954d3f766bb950b8415b01ad07b671b663901da3158ce296ca675c9a173a

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.Win32.Generic-482b160ee2e8d94fa6e4749f77e87da89c9658e7567459bc633d697430e3ad9a.exe

Filesize
145KB

MD5
20a04e7fc12259dfd4172f5232ed5ccf

SHA1
82f194e6baeef6eefb42f0685c49c1e6143ec850

SHA256
482b160ee2e8d94fa6e4749f77e87da89c9658e7567459bc633d697430e3ad9a

SHA512
376c03a16845d0b2080a5ec540a81f420b8e0957f9809bf0fd3218a2a4b28724a4a61975ac95314ba769ec9907eb1974c6cfccb0c777d062a314cf4fbbec648b

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.Win32.Generic-572d69c66b21161b0611c7044f756fe3c6b657634810745029290c1f861f2dfc.exe

Filesize
433KB

MD5
60696174c9f7b263dd00830de54fcfac

SHA1
9eae0b9bffd6050b0f4b83967a09746938daea4f

SHA256
572d69c66b21161b0611c7044f756fe3c6b657634810745029290c1f861f2dfc

SHA512
0cf1b1aa214e0bb2014f8f808d1a7e59569ec7a1bbc373f67ca89d3adce66b938f78cf3c167686bb3116be6590207063334acd8e7f8ebcc7b52242849ab28c83

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.Win32.Generic-576c65998cacf1e3639c760684681224970812c0d96d6b30e8d3e3916cf7a5dc.exe

Filesize
1.0MB

MD5
26286efba7268a17f5562784842088e7

SHA1
7912301d231ec0814a7bec73431aeb232c61550a

SHA256
576c65998cacf1e3639c760684681224970812c0d96d6b30e8d3e3916cf7a5dc

SHA512
f6aa8e33d3f3671bc55487cd0dc2cb39bb113da4775c540109a35dfd554011ccbfdaf3625c9b7dcf4724113680a9d8310a39828bd170adcfc80de57997b48b84

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan-Ransom.Win32.Stop.gen-e7017bc00aa0edb5b7ffab2888009e32f50a6b38f95b1a7bcb99ccebd533b847.exe

Filesize
891KB

MD5
0773c0d93aea37a734ec91ce00628057

SHA1
48b7a590966e82363e269876469ae437a30c47e8

SHA256
e7017bc00aa0edb5b7ffab2888009e32f50a6b38f95b1a7bcb99ccebd533b847

SHA512
85abdc251fd9769be0ffcb9803044b7b656a4f5562944050d8fa3265d35f36546cd4404effc87d0b1d655db9bc78073c18090cb5faa8b81b9f4570091e35b839

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan.MSIL.Crypt.gen-0880b65270dcfed0251480835524034f5b8513a1ff80858b4239e5919a154ae5.exe

Filesize
842KB

MD5
44877e6c6d299e21f8d7f9993ec499dd

SHA1
f6e13c413cf6e2b4419cb24ead243d98e5bd99c4

SHA256
0880b65270dcfed0251480835524034f5b8513a1ff80858b4239e5919a154ae5

SHA512
a42db88a98f4de62d31e248e81186b94a17baaf2dceb39d922642508b9e65d23c0d3919f7501ce9dc7f7e2871adf3f9eda523080eaf6123e448f6fb7e67ebc2c

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan.MSIL.Crypt.gen-0d76692ad7589abbaa0d55e8c12b82040950a986f755c7d4f994f556ae6be710.exe

Filesize
2.5MB

MD5
4a758282f077f8a9a6473eb884b68311

SHA1
72eb5cd24e520a454fce654daa14dd8fd3c78e67

SHA256
0d76692ad7589abbaa0d55e8c12b82040950a986f755c7d4f994f556ae6be710

SHA512
72b7d7f9b58d8b34942c26c2131d16ddf2bb0edd637568ab783e7ba6ce5ea6e0287eb52174213125fc9fc29a34ea0848ef004a56c813d7b648d99fccc45be889

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan.MSIL.Crypt.gen-16819fd1edc14e76bef6a38e5a7ca59ac88b4f444f4e0604d7450d817fbcdc39.exe

Filesize
2.2MB

MD5
5417066db3b4902a51724cf8f5a45a60

SHA1
5bc11db6a5a8f29345a7709209eb3fd77796530c

SHA256
16819fd1edc14e76bef6a38e5a7ca59ac88b4f444f4e0604d7450d817fbcdc39

SHA512
018739555a99bb117fcbc6fafe8b166ba5ac0f4de37d678a0f20af247786f562ba0164f27299d5b12d3fde60000a7451beadf42f5e51f58a08da88a062e8884b

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan.MSIL.Crypt.gen-1cb224509ffa0bafec897ca5f0be90b8b29fc9d4c490eaeed2c91ee6a4a5f6dc.exe

Filesize
309KB

MD5
d1d660b5afe3b2c0c1565f28b4b5b6d6

SHA1
67e5de6f149a41dea484b986b5bc68451c3bb133

SHA256
1cb224509ffa0bafec897ca5f0be90b8b29fc9d4c490eaeed2c91ee6a4a5f6dc

SHA512
a4f870a57216ad04fa14df177cade376ac77c2a51b94596a4fd3bfbc286332a1ac607d36bc23fbdafce6d54201bbe787b040cd6d04c06cc687cc8254e435f419

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan.MSIL.Crypt.gen-1ef44b94929418aaf0187cb88717094827328517dc509586cf1e584cbb4a16fd.exe

Filesize
361KB

MD5
1d29003de33dee4c17f9b70c93b07997

SHA1
383f4805b6e2e60deaafa0b07eefcd7ccf2a89a6

SHA256
1ef44b94929418aaf0187cb88717094827328517dc509586cf1e584cbb4a16fd

SHA512
42a087db1869cefe126e62a6707212832c57153e2f9436bf1754200e88b9b13e95c4958aa26261ab23e1cd1fe1991716f95f3241cf90c42e651571071c1edd46

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan.MSIL.Crypt.gen-1f7c55dde3ba44df06230c8916577cba86a7d28097e6d7aad1e35a60ae40eaf3.exe

Filesize
858KB

MD5
0cf780a97e71e09348f9d9f32d759933

SHA1
90040beca0722b378291ecab274b62b718192757

SHA256
1f7c55dde3ba44df06230c8916577cba86a7d28097e6d7aad1e35a60ae40eaf3

SHA512
91b78b1669db3417a8c63e3217602ad5108cf22f2173c6fc44609dc144ab8060f971b1a514b83944c726203137fd459e930923ca8aa0b40be44ed0f7089962ab

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan.MSIL.Crypt.gen-277661c38de18968617ae428604ec7ad7a5692f5caaad3931f17176e071e4f03.exe

Filesize
1.2MB

MD5
ce6e6f404d1b5668fffd0504bfb9aafb

SHA1
38c7f7c5e5ba077922e29bdb15b0556cd044133f

SHA256
277661c38de18968617ae428604ec7ad7a5692f5caaad3931f17176e071e4f03

SHA512
ac1f8b3e33dcebdac942dd1fc239a0abbb0f1678da55cec5c2549f1b76f4141b52d8839d94bb2e15b29d8b489304b04583ec96fd0c9235146297d2643a8ffe3f

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan.MSIL.Crypt.gen-5b1de4b0ff969973eb143f6ef332b8423c1d1fc7f2afd361d67f1e9b08634d6c.exe

Filesize
213KB

MD5
f16a5c810cefd3fbb22d72adb89ec5f7

SHA1
b2a0f3558d9f7f1b3dfb921a5f88e2c3d4268675

SHA256
5b1de4b0ff969973eb143f6ef332b8423c1d1fc7f2afd361d67f1e9b08634d6c

SHA512
47715d9b58f6deda4c207f8945ff87abc8609820f278b1740759e88447c6886a6717becb2763d85d242b2b50c8889173d716c8a70a0844b2880439f54924543e

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan.MSIL.Crypt.gen-5e71728c17450e3af8003e8d8f40bc0db5ecd7219ddd38b23ef364649ea0d3af.exe

Filesize
22.0MB

MD5
7f3676727ead203329272df793ace2a9

SHA1
120c8e06a7b296077f551f6c63e6ae33d20bba65

SHA256
5e71728c17450e3af8003e8d8f40bc0db5ecd7219ddd38b23ef364649ea0d3af

SHA512
cfeabd064839c6ccd7cb367cff42df98e80b372faf7815894189676d87ae697c2ebdf2d207940837326c77db7e85204d9be402692498c4fb06fb3cbb4239e8f7

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan.MSIL.Crypt.gen-8499855ac05ebde1d6709eba64fc1a4615108b06823794173dce5a86db6975fb.exe

Filesize
483KB

MD5
611ffad27420d72547b50763fbabf5f4

SHA1
fa4a2c31886e0a624d5b75c563ed94a73a78af27

SHA256
8499855ac05ebde1d6709eba64fc1a4615108b06823794173dce5a86db6975fb

SHA512
fe22ad67eafc185a54f3665307fc3223c8e0fa4eb531e0a6a2de5fbbb53f7dce54831a5d09cb5fce53b9a4be1f17f47b369e4f4eeba394d6179a0bc19cbdf469

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan.MSIL.Crypt.gen-8f714abcc4e0c34ca9fc6575f9dfd5b24513cfb6963f55904fb3369b08f2b557.exe

Filesize
902KB

MD5
3770787ee3f8d5c68e5dd1005279ba43

SHA1
a6fa84440560766c5dfb6927fcd3dae54e7d086d

SHA256
8f714abcc4e0c34ca9fc6575f9dfd5b24513cfb6963f55904fb3369b08f2b557

SHA512
f768acd0f182ea0e024d0def340acb12b49ef7e5b4136b6574d56631bf14569acbf539e9eac94a89bd48267edb3165c3b6debfbe5b0d0a158f1d1aa7685a6b20

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan.MSIL.Crypt.gen-93844beb32f123137e77333d13b694b359eb9f5daceeeaef16434282f7bafd40.exe

Filesize
1.6MB

MD5
5bbe2813ae3308d859b6d1cba0b2798c

SHA1
228b640de76d98f06ade80d83c7587b49415fefb

SHA256
93844beb32f123137e77333d13b694b359eb9f5daceeeaef16434282f7bafd40

SHA512
cb27db5babafe271bf899552a0c409a12de22820e97de89ef70ce01b2c69b4b0afcdb4a7c334b811dcfa07af85ce379ca1f6fcd4309aea7c53b042e4f724325d

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan.MSIL.Crypt.gen-a1a5c10be16923b723d28fe09b9ee4fc3ffef0ae07382336e2e40996301aa1c1.exe

Filesize
1.0MB

MD5
1e6ad4909eb1e6d3c2948eb594514c80

SHA1
83dd92a8ed4fb7e68050d2de130b8dced93de869

SHA256
a1a5c10be16923b723d28fe09b9ee4fc3ffef0ae07382336e2e40996301aa1c1

SHA512
e41f8ce9033220c6b0e99ab493d9209edbadafdcc31a8cea88c1629745add1778fb1db8cc84d8e01aed2809c3353333f42a73fd55c3baec1cc0ef88ef5d6377f

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan.MSIL.Crypt.gen-a639c6d1b8dc851728dfd740ba403fbc264b21300709dcc1975ab92b0916dfc4.exe

Filesize
124KB

MD5
9f3013d2d2976ab993f8b1b73074bcdd

SHA1
62d92489250e4777d582e35c4942d3d960cfd245

SHA256
a639c6d1b8dc851728dfd740ba403fbc264b21300709dcc1975ab92b0916dfc4

SHA512
f032cb523d71e9844be54f2214570d0a0782977588276d66ecb7aab83cd217aa1597a905fa25a38b2f4a935065d840caf2e51ff55bf3906fb85280ba56974a20

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan.MSIL.Crypt.gen-b673586c71762485c7d6fca773eec0cb7345d9cc7f19f7051181aa214547d216.exe

Filesize
3.4MB

MD5
f020320d1e7c0db6a01ff9ee664e4f19

SHA1
c93e5ea618adf6d292a98e5165dc1b2232260b24

SHA256
b673586c71762485c7d6fca773eec0cb7345d9cc7f19f7051181aa214547d216

SHA512
884444e36056740ab1eefc9d7df3972ba5c2b265c86f486304769f5b52d4511e77e1658ee114f0f29766f99035a5ed4d92acca9070554b9ae2d07a42fdb4a71c

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan.MSIL.Crypt.gen-d058998ebb15dd211938d291735c99be09937fce6c5254683eeea4db9ec44614.exe

Filesize
6.8MB

MD5
4822bde2dcf221a0545bf21f7c6cc993

SHA1
e84c1b14be7f8bf4d4402f81d224373144092c06

SHA256
d058998ebb15dd211938d291735c99be09937fce6c5254683eeea4db9ec44614

SHA512
95494200c46570ed3f2e7be7c92709460e30d05a3b6c87592c6970a0f3ac8c79764ca685f0f50c03cbc5bfb4cc83309516e821aa74518365943a8199a6864458

Download Submit
C:\Users\Admin\Desktop\00449\HEUR-Trojan.MSIL.Crypt.gen-dae4ad42d68e430a7b14d92846b324b502b991326cb9b3c1a48335866c03cbe4.exe

Filesize
136KB

MD5
20c4647ef3303d0e411ce8fcf7c17d7c

SHA1
bd84f8110234a2f274e33f2941b8ed6f7db1f83a

SHA256
dae4ad42d68e430a7b14d92846b324b502b991326cb9b3c1a48335866c03cbe4

SHA512
bb5432d0105b809797a67d906ce6cf89b5dab8b9d668f80f1aeb0934765a3d124271d8dee57439cf562accb390f041eb680616d7e30965975e72a2cbb719f039

Download Submit
C:\Users\Public\Desktop\⎅⏍Ꭺੋඓ᤾઎⫠᭬⮇༌⼄ᚵᚧᛞ߀᧷≈ۏᵀ⢾ᛝ঵ⵑ⡐ᯠۑؖ

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
\??\Volume{0576a638-0000-0000-0000-d01200000000}\Program Files\7-Zip\7-zip.chm

Filesize
1.8MB

MD5
3ccd0a0e0d9bac359ecedb758211ad1b

SHA1
659ebd7b1c01438f045ef1742112341787726c6f

SHA256
e32815707b1d0a75f853d37b172e0d4142c138c92ddec4c7915e8a10fc7b447b

SHA512
2b22c99641f1a15b1ba51b2675da568b4aeb90704bc8a9c2ed2a653fb264051b0e9bafadf1514b8419d56e2d16c22b9ce3d5a786761c7aa04aecbd43561262a8

Download Submit
memory/608-266-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/608-1708-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/860-220-0x0000000000B40000-0x0000000000B98000-memory.dmp

Filesize
352KB

Download
memory/1036-210-0x00000000000E0000-0x0000000000D10000-memory.dmp

Filesize
12.2MB

Download
memory/1092-202-0x0000000000BF0000-0x0000000000C52000-memory.dmp

Filesize
392KB

Download
memory/1316-172-0x000001DAD3C90000-0x000001DAD3CAE000-memory.dmp

Filesize
120KB

Download
memory/1316-170-0x000001DAD3CD0000-0x000001DAD3D46000-memory.dmp

Filesize
472KB

Download
memory/1316-169-0x000001DAD3C00000-0x000001DAD3C44000-memory.dmp

Filesize
272KB

Download
memory/1316-168-0x000001DAD2C90000-0x000001DAD2CB2000-memory.dmp

Filesize
136KB

Download
memory/1808-252-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1808-251-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1808-262-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/1808-261-0x0000000075670000-0x0000000075810000-memory.dmp

Filesize
1.6MB

Download
memory/1808-243-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/1808-253-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2116-182-0x0000000000920000-0x0000000000F44000-memory.dmp

Filesize
6.1MB

Download
memory/2244-348-0x0000000000400000-0x000000000099D000-memory.dmp

Filesize
5.6MB

Download
memory/2244-277-0x0000000000400000-0x000000000099D000-memory.dmp

Filesize
5.6MB

Download
memory/2476-219-0x00000000000E0000-0x000000000070A000-memory.dmp

Filesize
6.2MB

Download
memory/2800-209-0x0000000000890000-0x00000000008D6000-memory.dmp

Filesize
280KB

Download
memory/2800-211-0x0000000000F90000-0x0000000000F96000-memory.dmp

Filesize
24KB

Download
memory/2824-309-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2824-325-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2824-322-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/2824-1734-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/2824-1732-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3132-234-0x0000000000430000-0x0000000000B64000-memory.dmp

Filesize
7.2MB

Download
memory/3476-1677-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3928-198-0x0000000000180000-0x00000000007FA000-memory.dmp

Filesize
6.5MB

Download
memory/4136-233-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/4136-301-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/4452-238-0x00000000015F0000-0x00000000015F8000-memory.dmp

Filesize
32KB

Download
memory/4452-237-0x000000001BC80000-0x000000001BD1C000-memory.dmp

Filesize
624KB

Download
memory/4452-236-0x000000001C2C0000-0x000000001C78E000-memory.dmp

Filesize
4.8MB

Download
memory/4564-189-0x0000000000210000-0x00000000009A6000-memory.dmp

Filesize
7.6MB

Download
memory/4684-188-0x0000000004FA0000-0x0000000005032000-memory.dmp

Filesize
584KB

Download
memory/4684-186-0x0000000000610000-0x00000000006AE000-memory.dmp

Filesize
632KB

Download
memory/4684-187-0x00000000054B0000-0x0000000005A54000-memory.dmp

Filesize
5.6MB

Download
memory/4684-193-0x0000000004F80000-0x0000000004F8A000-memory.dmp

Filesize
40KB

Download
memory/4724-224-0x0000000000C60000-0x0000000000C78000-memory.dmp

Filesize
96KB

Download
memory/4784-130-0x00000237EF8C0000-0x00000237EF8C1000-memory.dmp

Filesize
4KB

Download
memory/4784-136-0x00000237EF8C0000-0x00000237EF8C1000-memory.dmp

Filesize
4KB

Download
memory/4784-137-0x00000237EF8C0000-0x00000237EF8C1000-memory.dmp

Filesize
4KB

Download
memory/4784-138-0x00000237EF8C0000-0x00000237EF8C1000-memory.dmp

Filesize
4KB

Download
memory/4784-139-0x00000237EF8C0000-0x00000237EF8C1000-memory.dmp

Filesize
4KB

Download
memory/4784-140-0x00000237EF8C0000-0x00000237EF8C1000-memory.dmp

Filesize
4KB

Download
memory/4784-141-0x00000237EF8C0000-0x00000237EF8C1000-memory.dmp

Filesize
4KB

Download
memory/4784-142-0x00000237EF8C0000-0x00000237EF8C1000-memory.dmp

Filesize
4KB

Download
memory/4784-132-0x00000237EF8C0000-0x00000237EF8C1000-memory.dmp

Filesize
4KB

Download
memory/4784-131-0x00000237EF8C0000-0x00000237EF8C1000-memory.dmp

Filesize
4KB

Download
memory/5032-194-0x0000000000A40000-0x00000000010FA000-memory.dmp

Filesize
6.7MB

Download