crimsonrat | 720447db58834d8082eefc2f5b97e7567a6c6c6337c2e40300894fe8a467b671

Analysis

max time kernel
162s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-10-2024 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00443.7z
Size

98.7MB
MD5

ffd83cd295f7cbc6d53e04355002f1f7
SHA1

10537b6b3ab6ea409ce1b4051e947f3b78d33f68
SHA256

720447db58834d8082eefc2f5b97e7567a6c6c6337c2e40300894fe8a467b671
SHA512

be26c60d2ce2cf987ff33d1645a82220903edc986e9acef4add8d676d39e4083f2e6e7af0797639e2a4910dd43313b987beb15b8cc9c9cbd5f49cc2696f1d614
SSDEEP

1572864:BLWlEuS5AE1Iq4FF3FJzDHuIHOp0+jMPEVDlxbQsApL/PtqclAT93WV5ajmYMHcj:BSqfAnq4FrBRH+jZVf05/lqGeQimPcj3

Score

10^/10

crimsonrat mafiaware666 vanillarat discovery evasion persistence ransomware rat

Malware Config

Extracted

Family

crimsonrat

167.160.166.80

Signatures

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat

Detect MafiaWare666 ransomware 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cd4-349.dat	family_mafiaware666
behavioral1/memory/4228-352-0x00000000003F0000-0x0000000000542000-memory.dmp	family_mafiaware666

MafiaWare666 Ransomware
MafiaWare666 is ransomware written in C# with multiple variants.
ransomware mafiaware666

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty"	ransomware.exe

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat
Renames multiple (85) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Vanilla Rat payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000023cd0-330.dat	vanillarat
behavioral1/memory/2120-340-0x0000000000460000-0x0000000000482000-memory.dmp	vanillarat

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0e0246fb029cf7ad648918c553d1506adaf3a668f917a3e924e104891a6cfd21.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Encoder.gen-3d93c21358b8002e2e2afec8f7cca4291cce3147fd1b3b89b0cf5b7dba4927dd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-5e718509797489dd9838a5023f0379e22a7ad746aeb3ed15b0d269b608b2c862.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Foreign.gen-a77c02e4226e5fe04a908a59a0abbf90962c24dbbdb7b21dd3fc43c82332caaf.exe

Executes dropped EXE 13 IoCs

pid	Process
1660	HEUR-Trojan-Ransom.MSIL.Agent.gen-92f3d8854351b50c6c99de5681fbfda9dbd4eccd29e3e87d0885e5f1a8b45f35.exe
2120	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0e0246fb029cf7ad648918c553d1506adaf3a668f917a3e924e104891a6cfd21.exe
4804	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1999b0d35779b40659be680d0f130a2c9e269dbbf5739980df2a02513065a4f3.exe
3184	HEUR-Trojan-Ransom.MSIL.Blocker.gen-5e718509797489dd9838a5023f0379e22a7ad746aeb3ed15b0d269b608b2c862.exe
2792	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b80b26e6f666b034b7c2f3b91d594cfb43d18d5a000c6353e3bb6cd320c62618.exe
4228	HEUR-Trojan-Ransom.MSIL.Crypren.gen-b81eb2589b6ff68546891a15655e43d4f89ff2122b29e7a1d4d91430b2a21867.exe
2692	HEUR-Trojan-Ransom.MSIL.Encoder.gen-3d93c21358b8002e2e2afec8f7cca4291cce3147fd1b3b89b0cf5b7dba4927dd.exe
2684	HEUR-Trojan-Ransom.MSIL.Encoder.gen-adeca4785f7f42e29daa28f1a6cec358df3fa207b5b095858a51ca773f2a6cde.exe
4676	HEUR-Trojan-Ransom.MSIL.Foreign.gen-a77c02e4226e5fe04a908a59a0abbf90962c24dbbdb7b21dd3fc43c82332caaf.exe
2820	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0e0246fb029cf7ad648918c553d1506adaf3a668f917a3e924e104891a6cfd21.exe
5104	ransomware.exe
4180	svchost.exe
5092	trbgertrnion.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fery1Freezer = "C:\\programdata\\Fery1Freezer.exe"	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1999b0d35779b40659be680d0f130a2c9e269dbbf5739980df2a02513065a4f3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HEUR-Trojan-Ransom.MSIL.Blocker.gen-0e0246fb029cf7ad648918c553d1506adaf3a668f917a3e924e104891a6cfd21 = "C:\\Users\\Admin\\AppData\\Roaming\\HEUR-Trojan-Ransom.MSIL.Blocker.gen-0e0246fb029cf7ad648918c553d1506adaf3a668f917a3e924e104891a6cfd21.exe"	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0e0246fb029cf7ad648918c553d1506adaf3a668f917a3e924e104891a6cfd21.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	HEUR-Trojan-Ransom.MSIL.Blocker.gen-5e718509797489dd9838a5023f0379e22a7ad746aeb3ed15b0d269b608b2c862.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vttbaelarvir = "C:\\ProgramData\\Hithviwia\\trbgertrnion.exe"	trbgertrnion.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	ransomware.exe
File created	C:\Users\Admin\Desktop\desktop.ini	ransomware.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HEUR-Trojan-Ransom.MSIL.Crypren.gen-b81eb2589b6ff68546891a15655e43d4f89ff2122b29e7a1d4d91430b2a21867.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HEUR-Trojan-Ransom.MSIL.Crypren.gen-b81eb2589b6ff68546891a15655e43d4f89ff2122b29e7a1d4d91430b2a21867.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	HEUR-Trojan-Ransom.MSIL.Crypren.gen-b81eb2589b6ff68546891a15655e43d4f89ff2122b29e7a1d4d91430b2a21867.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	HEUR-Trojan-Ransom.MSIL.Crypren.gen-b81eb2589b6ff68546891a15655e43d4f89ff2122b29e7a1d4d91430b2a21867.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HEUR-Trojan-Ransom.MSIL.Crypren.gen-b81eb2589b6ff68546891a15655e43d4f89ff2122b29e7a1d4d91430b2a21867.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
51	raw.githubusercontent.com
52	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper	ransomware.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4180 set thread context of 1868	4180	svchost.exe	126

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\System32\README.txt	HEUR-Trojan-Ransom.MSIL.Encoder.gen-3d93c21358b8002e2e2afec8f7cca4291cce3147fd1b3b89b0cf5b7dba4927dd.exe
File created	C:\Program Files\System32\ransomware.exe	HEUR-Trojan-Ransom.MSIL.Encoder.gen-3d93c21358b8002e2e2afec8f7cca4291cce3147fd1b3b89b0cf5b7dba4927dd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Crypren.gen-b81eb2589b6ff68546891a15655e43d4f89ff2122b29e7a1d4d91430b2a21867.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Encoder.gen-adeca4785f7f42e29daa28f1a6cec358df3fa207b5b095858a51ca773f2a6cde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0e0246fb029cf7ad648918c553d1506adaf3a668f917a3e924e104891a6cfd21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0e0246fb029cf7ad648918c553d1506adaf3a668f917a3e924e104891a6cfd21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1999b0d35779b40659be680d0f130a2c9e269dbbf5739980df2a02513065a4f3.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4056	powershell.exe
4056	powershell.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3448	7zFM.exe
3008	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeRestorePrivilege	3448	7zFM.exe
Token: 35	3448	7zFM.exe
Token: SeSecurityPrivilege	3448	7zFM.exe
Token: SeSecurityPrivilege	3448	7zFM.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	4424	taskmgr.exe
Token: SeSystemProfilePrivilege	4424	taskmgr.exe
Token: SeCreateGlobalPrivilege	4424	taskmgr.exe
Token: SeDebugPrivilege	3008	taskmgr.exe
Token: SeSystemProfilePrivilege	3008	taskmgr.exe
Token: SeCreateGlobalPrivilege	3008	taskmgr.exe
Token: 33	4424	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4424	taskmgr.exe
Token: SeDebugPrivilege	2792	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b80b26e6f666b034b7c2f3b91d594cfb43d18d5a000c6353e3bb6cd320c62618.exe
Token: SeDebugPrivilege	2692	HEUR-Trojan-Ransom.MSIL.Encoder.gen-3d93c21358b8002e2e2afec8f7cca4291cce3147fd1b3b89b0cf5b7dba4927dd.exe
Token: SeDebugPrivilege	4804	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1999b0d35779b40659be680d0f130a2c9e269dbbf5739980df2a02513065a4f3.exe
Token: SeDebugPrivilege	3184	HEUR-Trojan-Ransom.MSIL.Blocker.gen-5e718509797489dd9838a5023f0379e22a7ad746aeb3ed15b0d269b608b2c862.exe
Token: SeDebugPrivilege	2120	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0e0246fb029cf7ad648918c553d1506adaf3a668f917a3e924e104891a6cfd21.exe
Token: SeDebugPrivilege	4180	svchost.exe
Token: SeDebugPrivilege	5104	ransomware.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3448	7zFM.exe
3448	7zFM.exe
3448	7zFM.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
4424	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2684	HEUR-Trojan-Ransom.MSIL.Encoder.gen-adeca4785f7f42e29daa28f1a6cec358df3fa207b5b095858a51ca773f2a6cde.exe
2684	HEUR-Trojan-Ransom.MSIL.Encoder.gen-adeca4785f7f42e29daa28f1a6cec358df3fa207b5b095858a51ca773f2a6cde.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 3008	4424	taskmgr.exe	101
PID 4424 wrote to memory of 3008	4424	taskmgr.exe	101
PID 4056 wrote to memory of 688	4056	powershell.exe	104
PID 4056 wrote to memory of 688	4056	powershell.exe	104
PID 688 wrote to memory of 1660	688	cmd.exe	106
PID 688 wrote to memory of 1660	688	cmd.exe	106
PID 688 wrote to memory of 2120	688	cmd.exe	107
PID 688 wrote to memory of 2120	688	cmd.exe	107
PID 688 wrote to memory of 2120	688	cmd.exe	107
PID 688 wrote to memory of 4804	688	cmd.exe	108
PID 688 wrote to memory of 4804	688	cmd.exe	108
PID 688 wrote to memory of 4804	688	cmd.exe	108
PID 688 wrote to memory of 3184	688	cmd.exe	109
PID 688 wrote to memory of 3184	688	cmd.exe	109
PID 688 wrote to memory of 2792	688	cmd.exe	111
PID 688 wrote to memory of 2792	688	cmd.exe	111
PID 688 wrote to memory of 4228	688	cmd.exe	114
PID 688 wrote to memory of 4228	688	cmd.exe	114
PID 688 wrote to memory of 4228	688	cmd.exe	114
PID 688 wrote to memory of 2692	688	cmd.exe	115
PID 688 wrote to memory of 2692	688	cmd.exe	115
PID 688 wrote to memory of 2684	688	cmd.exe	116
PID 688 wrote to memory of 2684	688	cmd.exe	116
PID 688 wrote to memory of 2684	688	cmd.exe	116
PID 688 wrote to memory of 4676	688	cmd.exe	117
PID 688 wrote to memory of 4676	688	cmd.exe	117
PID 2120 wrote to memory of 2820	2120	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0e0246fb029cf7ad648918c553d1506adaf3a668f917a3e924e104891a6cfd21.exe	121
PID 2120 wrote to memory of 2820	2120	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0e0246fb029cf7ad648918c553d1506adaf3a668f917a3e924e104891a6cfd21.exe	121
PID 2120 wrote to memory of 2820	2120	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0e0246fb029cf7ad648918c553d1506adaf3a668f917a3e924e104891a6cfd21.exe	121
PID 2692 wrote to memory of 5104	2692	HEUR-Trojan-Ransom.MSIL.Encoder.gen-3d93c21358b8002e2e2afec8f7cca4291cce3147fd1b3b89b0cf5b7dba4927dd.exe	122
PID 2692 wrote to memory of 5104	2692	HEUR-Trojan-Ransom.MSIL.Encoder.gen-3d93c21358b8002e2e2afec8f7cca4291cce3147fd1b3b89b0cf5b7dba4927dd.exe	122
PID 3184 wrote to memory of 4180	3184	HEUR-Trojan-Ransom.MSIL.Blocker.gen-5e718509797489dd9838a5023f0379e22a7ad746aeb3ed15b0d269b608b2c862.exe	123
PID 3184 wrote to memory of 4180	3184	HEUR-Trojan-Ransom.MSIL.Blocker.gen-5e718509797489dd9838a5023f0379e22a7ad746aeb3ed15b0d269b608b2c862.exe	123
PID 4676 wrote to memory of 5092	4676	HEUR-Trojan-Ransom.MSIL.Foreign.gen-a77c02e4226e5fe04a908a59a0abbf90962c24dbbdb7b21dd3fc43c82332caaf.exe	125
PID 4676 wrote to memory of 5092	4676	HEUR-Trojan-Ransom.MSIL.Foreign.gen-a77c02e4226e5fe04a908a59a0abbf90962c24dbbdb7b21dd3fc43c82332caaf.exe	125
PID 4180 wrote to memory of 1868	4180	svchost.exe	126
PID 4180 wrote to memory of 1868	4180	svchost.exe	126
PID 4180 wrote to memory of 1868	4180	svchost.exe	126

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00443.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.MSIL.Agent.gen-92f3d8854351b50c6c99de5681fbfda9dbd4eccd29e3e87d0885e5f1a8b45f35.exe
    HEUR-Trojan-Ransom.MSIL.Agent.gen-92f3d8854351b50c6c99de5681fbfda9dbd4eccd29e3e87d0885e5f1a8b45f35.exe
    3⤵
    - Executes dropped EXE
    PID:1660
- - C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.MSIL.Blocker.gen-0e0246fb029cf7ad648918c553d1506adaf3a668f917a3e924e104891a6cfd21.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-0e0246fb029cf7ad648918c553d1506adaf3a668f917a3e924e104891a6cfd21.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Users\Admin\AppData\Roaming\HEUR-Trojan-Ransom.MSIL.Blocker.gen-0e0246fb029cf7ad648918c553d1506adaf3a668f917a3e924e104891a6cfd21.exe
      "C:\Users\Admin\AppData\Roaming\HEUR-Trojan-Ransom.MSIL.Blocker.gen-0e0246fb029cf7ad648918c553d1506adaf3a668f917a3e924e104891a6cfd21.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2820
- - C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.MSIL.Blocker.gen-1999b0d35779b40659be680d0f130a2c9e269dbbf5739980df2a02513065a4f3.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-1999b0d35779b40659be680d0f130a2c9e269dbbf5739980df2a02513065a4f3.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4804
- - C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5e718509797489dd9838a5023f0379e22a7ad746aeb3ed15b0d269b608b2c862.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-5e718509797489dd9838a5023f0379e22a7ad746aeb3ed15b0d269b608b2c862.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3184
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4180
    - - C:\WINDOWS\explorer.exe
        
        C:\WINDOWS\explorer.exe -B --coin=monero --asm=auto --cpu-memory-pool=-1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6081645 --pass=myminer --cpu-max-threads-hint=20 --donate-level=5 --unam-idle-wait=15 --unam-idle-cpu=80
        5⤵
        
        PID:1868
- - C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.MSIL.Blocker.gen-b80b26e6f666b034b7c2f3b91d594cfb43d18d5a000c6353e3bb6cd320c62618.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-b80b26e6f666b034b7c2f3b91d594cfb43d18d5a000c6353e3bb6cd320c62618.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- - C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.MSIL.Crypren.gen-b81eb2589b6ff68546891a15655e43d4f89ff2122b29e7a1d4d91430b2a21867.exe
    HEUR-Trojan-Ransom.MSIL.Crypren.gen-b81eb2589b6ff68546891a15655e43d4f89ff2122b29e7a1d4d91430b2a21867.exe
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    PID:4228
- - C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.MSIL.Encoder.gen-3d93c21358b8002e2e2afec8f7cca4291cce3147fd1b3b89b0cf5b7dba4927dd.exe
    HEUR-Trojan-Ransom.MSIL.Encoder.gen-3d93c21358b8002e2e2afec8f7cca4291cce3147fd1b3b89b0cf5b7dba4927dd.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Program Files\System32\ransomware.exe
      "C:\Program Files\System32\ransomware.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Drops desktop.ini file(s)
      Sets desktop wallpaper using registry
      Suspicious use of AdjustPrivilegeToken
      PID:5104
- - C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.MSIL.Encoder.gen-adeca4785f7f42e29daa28f1a6cec358df3fa207b5b095858a51ca773f2a6cde.exe
    HEUR-Trojan-Ransom.MSIL.Encoder.gen-adeca4785f7f42e29daa28f1a6cec358df3fa207b5b095858a51ca773f2a6cde.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2684
- - C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.MSIL.Foreign.gen-a77c02e4226e5fe04a908a59a0abbf90962c24dbbdb7b21dd3fc43c82332caaf.exe
    HEUR-Trojan-Ransom.MSIL.Foreign.gen-a77c02e4226e5fe04a908a59a0abbf90962c24dbbdb7b21dd3fc43c82332caaf.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\ProgramData\Hithviwia\trbgertrnion.exe
      "C:\ProgramData\Hithviwia\trbgertrnion.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:5092

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3008

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\System32\ransomware.exe

Filesize
48KB

MD5
afa452697ab73a80a1df9380d43c4a6b

SHA1
bae21838a0e7a3821f018da85a8f604236ffd574

SHA256
d9cdfd94e109da2f89b505b041360eca35054a3144e8d3cab13b4be541ecd48a

SHA512
9d363d6c7b9c7a1a9776f7f8b937c21a388e346f890ebd3fd1b2657ca48f76ab6738f435a33e2ce3423f186e2bbc1532dbc21a3c0bef037d01f020cf1dc39d17

Download Submit
C:\ProgramData\Hithviwia\trbgertrnion.exe

Filesize
10.3MB

MD5
8d3690ce3ea7026a252c7cbd7493e29f

SHA1
80395062eb010e0417517f7a717d9ecd99d79b74

SHA256
7eeac3f16e37b79ee6ba5e1ecf9a7d9ce9530b03c0bfd304fd6d49b73ab95d40

SHA512
cb7713718062778afc08a14b95d9a601b3e5032fee7d0c0d5e84170f4f7fcdab1a621b9201f873ab6545fd63fd7ae650f57ccf11ae3f091416099951ff4fcd23

Download Submit
C:\ProgramData\Hithviwia\trbgertrnion.zip

Filesize
63KB

MD5
5ad00e7eed27ae2517303955ead1437b

SHA1
0449c320f386c857dc9a74e9ddf845aa600029ea

SHA256
b6870213d7bead40b67033fae36c1c5d7a07dacfd3ba6ca4591f2a433d76d66c

SHA512
d735c3bf71183f125f51edc0eb72fab1d7b19293e37460e6deced4e1e94a6ecb15a17116b9ede752208541b86fbb431638a668807b0a734e2003dbafb0830d14

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gad4lxwb.hth.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\data.zip

Filesize
66KB

MD5
074eb731bdf200ed07a3339c21c3667a

SHA1
528cd3fe10ca2b91065ee1b6f6e770e96947620f

SHA256
f14748013ff47268297d29a605d17ed824f43358be09719f416bf805287ec144

SHA512
79d7aa13c1945b9b3c63319967e8f6da3abd32e1818803851253c2d301ad9376dd19bc308bcf36fe02c5f98cc469c32ec57157243685b694bf19d030c7306167

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.MSIL.Agent.gen-92f3d8854351b50c6c99de5681fbfda9dbd4eccd29e3e87d0885e5f1a8b45f35.exe

Filesize
520KB

MD5
1ef00a66107032235cff1ca524c82a90

SHA1
7a8c65b9022f8cd09a23ba98ef2f680ebfae50ca

SHA256
92f3d8854351b50c6c99de5681fbfda9dbd4eccd29e3e87d0885e5f1a8b45f35

SHA512
2856dfe4591a95d37f7095a09e543ee24c271e906b85c84051b8299974d564ef9890ecd984d77eec6a1858c609751cda082b3f8774491a8316df149e9821ea3c

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.MSIL.Blocker.gen-0e0246fb029cf7ad648918c553d1506adaf3a668f917a3e924e104891a6cfd21.exe

Filesize
114KB

MD5
bb77e7baf81909cf519190424e183db9

SHA1
b87f09d0aa2ac639336ab99fbb909e2fbfb8f71b

SHA256
0e0246fb029cf7ad648918c553d1506adaf3a668f917a3e924e104891a6cfd21

SHA512
427c8f270791df2156c4cc62c9e7e87931ba895224ef6e81cde35fd022b115bed8043d1d93597a7bce35330e23f47c7b460691eda4f628b5c4523d2958a97a81

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.MSIL.Blocker.gen-1999b0d35779b40659be680d0f130a2c9e269dbbf5739980df2a02513065a4f3.exe

Filesize
279KB

MD5
d09062096338b06af54b544b30422c96

SHA1
5e96dd31e519cb1a74b85677efe7d2b128aacd37

SHA256
1999b0d35779b40659be680d0f130a2c9e269dbbf5739980df2a02513065a4f3

SHA512
c49ad467e3f4e891fd1cfe5ddd211ddb5bdc4d857bd4cc8184b004157a6c05415fa8b83b8f43249732387b19edad16f4a0d064db82c195b450cc216a52415010

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5e718509797489dd9838a5023f0379e22a7ad746aeb3ed15b0d269b608b2c862.exe

Filesize
1.9MB

MD5
9635b303b57ae8253682862a19297750

SHA1
226c9f1a345acc8bcb21d6f7b79c37dbdec226e8

SHA256
5e718509797489dd9838a5023f0379e22a7ad746aeb3ed15b0d269b608b2c862

SHA512
dbe4652e99c2acb6d4280f28665cf2b74349906a3d395287a4c3f438d0f8b2502edc29c140476628d5d9007dd50407c42589f8b2a6f64798c69fcb315a32cb0f

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.MSIL.Blocker.gen-b80b26e6f666b034b7c2f3b91d594cfb43d18d5a000c6353e3bb6cd320c62618.exe

Filesize
6.0MB

MD5
5fa8379a2da74a995c6fd0742e83addc

SHA1
290f947957383b37690ef1fd83ccabd0305fcd2d

SHA256
b80b26e6f666b034b7c2f3b91d594cfb43d18d5a000c6353e3bb6cd320c62618

SHA512
a97a3bae9b6c9a32d878d561e4829bd955812c91fc9c18086e5fe55df1a8bd07943d71c264d329968457832b5c664d787a361bb170b7ab580468393224720b69

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.MSIL.Crypren.gen-b81eb2589b6ff68546891a15655e43d4f89ff2122b29e7a1d4d91430b2a21867.exe

Filesize
1.3MB

MD5
a87dab3a9db347ee99882d8d075a6871

SHA1
2e559ceba9ddc285c9d8beb1b9aed1f229f10875

SHA256
b81eb2589b6ff68546891a15655e43d4f89ff2122b29e7a1d4d91430b2a21867

SHA512
bd575dcad6980a78db3387210cb69bd049d03d5c13471d3996fb7671aaf866b5f958efefdf22e75322b991e3739d1b957b04ab667261d273cb7efe1db8e6869c

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.MSIL.Encoder.gen-3d93c21358b8002e2e2afec8f7cca4291cce3147fd1b3b89b0cf5b7dba4927dd.exe

Filesize
116KB

MD5
31a12d26a566ab61b2bacdea97d20dd1

SHA1
14f2883d0b9dfc96a749ca42483a69b8de84ef42

SHA256
3d93c21358b8002e2e2afec8f7cca4291cce3147fd1b3b89b0cf5b7dba4927dd

SHA512
901519987081c335b34f1fb478f2d74f86ca857889fafd35251bc7a1ed42b31341d84e6f72550ed8e44590d792410dc543ba5c4adc593fa95a151293efa14116

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.MSIL.Encoder.gen-adeca4785f7f42e29daa28f1a6cec358df3fa207b5b095858a51ca773f2a6cde.exe

Filesize
1.6MB

MD5
91ee6e657b0426fb6474e8baab4165b5

SHA1
a94e1ad308e4be16002997d7389819322549c896

SHA256
adeca4785f7f42e29daa28f1a6cec358df3fa207b5b095858a51ca773f2a6cde

SHA512
085f9ad779f025a278cd4bb349409487992749cc575088decb46351f1b3f93f992500683de1c401f9648709a0551d3813c6e13e29e3676a6d5c084127f3c3f67

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.MSIL.Foreign.gen-a77c02e4226e5fe04a908a59a0abbf90962c24dbbdb7b21dd3fc43c82332caaf.exe

Filesize
119KB

MD5
677912b8a794016ce9ed7e15dc9b29e0

SHA1
581e45063a2777b4d0fbb044e3bf1c9764520a4f

SHA256
a77c02e4226e5fe04a908a59a0abbf90962c24dbbdb7b21dd3fc43c82332caaf

SHA512
873753552695ad298495f9489ea9dd749203e01aa0e599c330d39dc915b1d1ccccdce522411f84e3dd574563b231ea1a256ac1a083c853170d1e3c0ab902277a

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.MSIL.Gen.gen-635d71a378b2141b3d50d1c73de367c59a89259ee7e72f91b0f78e0c7737b562.exe

Filesize
1.0MB

MD5
150d3f7b92468b5b52ef9e1a637b0b94

SHA1
7fcac8109c868caee0034bbe21cc38d5c4392028

SHA256
30c18d22823651b52a559fb4dcb18ed0aad894641b92b75da82982ca29691b19

SHA512
8acd4781c32de212f608f92876a2e83d9de07bc4d6baf0a25d369bf7105140e89f3647475e9aaba7b8b41416f81319152eaacad9ea7c12f6bf5ee9fa3ffed1f9

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.MSIL.Gen.gen-9193aeca016a6793317e9b2d6ad24c841ac9d293f2224f11e7a4f186df819e5e.exe

Filesize
374KB

MD5
a9045127c13775322371c6175cfcbc91

SHA1
05a777b2507d0409f84d397eb31716be110ede7a

SHA256
f8d64ec672f93efaf2f421740f9f27a2037d885ea767e3bf3bb79467b6b35987

SHA512
ef4d5eb43dabcceb1c44a55cd3d93d9b89bd1ebfc63ee39f49de290fa2327c882d9cb6bcd103bc39dd1da9fa8dd65ecac21a50e444a563b36e4a21fce05ad092

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Script.Encoder.gen-481509a67f836e3826fd7835cded0619a1491ed914152d893c6d8ac950445f4f.exe

Filesize
763KB

MD5
488bc35002ca56e8f041100a72f6f937

SHA1
320d652a78042042bb016883ceb368281fd565e7

SHA256
10a5ce7ecdc92ac871b90ac93eb1312e5046677ccb57629cc1c4e2438b526ced

SHA512
c9c3e81d03fb5fe31bf3e91883e2698882019db1ee4492841971a9b4e19974a4ac225aed9853c831d553ac2fa2b789b0a72da7cd0284a6ad3334c2513f5fde55

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.Blocker.gen-80e750904695cc70b05ca88819c5f87dfe32a8592d00c664d59837443faea6e6.exe

Filesize
3.7MB

MD5
5e6f15e3dddc2a14d227ed7d43fa69d4

SHA1
77b7ddd22df6508c3d08ee77f87241cdeb660644

SHA256
c761e6f4b43eb41c70deb2ab8b1f5274b6867d21550ed328c25b41a38d7cc1b7

SHA512
af5c2a9081ead0ad7698e0618fdb761d9fcf57787169d147b7a2912397d7595d7bdfe1d3ccb72a954f9511e49920291706230bb97f995bf377774128b88fc637

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.Blocker.gen-c8ffb9d14a28fbc7e7f6d517b22a8bb83097f5bc464c52e027610ab93caec0d6.exe

Filesize
190KB

MD5
cd40b334a4ecfc5b293dbb8148a895b2

SHA1
473e0ac35e370ac24b981ba876486990380ba0d8

SHA256
64c194171286e39fe181e083fbee2ac74cc33937b0c08483ea3f6965dc305c16

SHA512
5a17fdac99a2e3d48e2896b28dc26c5b6e79c5065915bfde3c17280db12bafffa9c1ae66b9cd96762f461c3b0de1ef9ff31034757762fe73893b8d858fd48586

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-cfb9bd8d02089816a6f3ff89099d11c2462f67990f5233438c7167480169fcbb.exe

Filesize
1.8MB

MD5
0e9d9f34b3e6ba7194e19c1c10bc524b

SHA1
c6872449a20cb818d557086556fee0291a8be207

SHA256
666837bca47ecd6f8c3e6767a576520dda477374d4198b39368968cc79d314f4

SHA512
20281239294fecab41502d4c6f3cbbe5c22f54fe380d7eb1b430968a101761496f7c27cbf299a1aa34697c7b070e91064011b4bef373434f1f8548013456d3ba

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.Cryptor.gen-48ee1f55ba5018517e4dd27c9223a86b9ef883a0fa00bd78bf591026f04ab2dd.exe

Filesize
450KB

MD5
f491616c928195590de1ee34d0eb3dc3

SHA1
191149d37cc9ab7c5849845e682eaf1b4d0daa12

SHA256
44885dbf8ef12850bed186507fa24a2c9bd2e4ee7d1f9b1277c43adde040f6c1

SHA512
659707d1cb87630046fffd49c8ecb6e4260086eb5cc7838b5dbb219303a15cf18a5bf869afa243fcd586f5ec30a48db2f83e863c8eacb2c8c9a75c504b6151a3

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.Encoder.gen-615610390372838c4e644a39c880e9c7cf1acb2fb83337b6143771e6edd12738.exe

Filesize
362KB

MD5
b447cce52bdcbeff0d1d8d6c19c66be6

SHA1
09e24371a3cda9443f889a13dcea2909fb9210b8

SHA256
e5b1aec672f5d75652c05aa062df3d395689f55ceb109802b03ecf0dd1a230f0

SHA512
2539e9f3d64656254c3e3892e298c2c06e1ed1f11a24f7b17c3acee37ea1b93540db60f5ec9dba91ccd4ec0ac84a7c0724303ddd58263df8a64d0bc23b1815a1

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-4ccb2d94ddcb0ca81af1212573ff866856a63cd165c4acec9128a0c0febcde2a.exe

Filesize
319KB

MD5
76082698c1f1ed9ccdddda70b973addc

SHA1
8662659974c6b64512fa96d7d28bac5a0c7b2bd2

SHA256
520f1168fb4f786b0d5c99547b2a59ad6340a5fbf73169c822510a24eaaa86e9

SHA512
e2e0984fd2fb8d25f6b9f0b8c29e22a47ccd4a44f3af826ac9da975b79ae7e5d4896e3f2dee5e17ad4c6c184aadcee441111e16ee2a9e256803981feee8ff53d

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.Gen.gen-e22a60d71e23f295a0470c6a302e7dc0c09afe31380539de9841871da18e74a4.exe

Filesize
272KB

MD5
4d7d34dad04f64e411e8a22c0b6915b0

SHA1
bb1635ae9e293ef8ca0276301df0513c2978d617

SHA256
e22a60d71e23f295a0470c6a302e7dc0c09afe31380539de9841871da18e74a4

SHA512
0e2474cacef6dae7914cd6759a3aeaf229c431fcf8c5557e4c65836cbca3413744d67d7cb14560a8d4cae2854293e3ec6a4ecff1ec08674d0501281327aac4fe

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.Generic-10a5f887763b6caef2bef8103fcf081132f800e614aff0b2bd5973bb346c5ab3.exe

Filesize
128KB

MD5
a02c3a68c3f300c28a21cc68318487fa

SHA1
5bc0d575fbb75feceb0b16ae0594ddb0a0ab9094

SHA256
79c7a0120a1edfbc72a6a4497c07ef6fe54fd27a1d5bb60b6ef1d7da9c362527

SHA512
c2febfb5ac3db73c5f039accd27107f088602e39b95fe9910d6f43d8163a83e0286d43582afcb62bf642af888d9c3a8745a47ed7cc7978a48e8883120320d77a

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.Generic-1374678c5566510a4bda6f917fd097f3deaafc10f1df8c45dff788f20415bef3.exe

Filesize
1.3MB

MD5
a465feed9f689fb36e977935f160a183

SHA1
00078ad38c299e9b67458eab1196f97c66d27052

SHA256
cd991751cedf62b0379a0e14913a611b81d8e3d02d8884cc4b87bf99e2916aee

SHA512
bc794e639d956b967ba20907ba603a4f79ffe5b6271d1cb40b6563c143c29293e13db8d3082a5b4e2e8a32e89a0703c288e5b87067c47f16fdc27c10d5edd7e1

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.Generic-24b9c9a0710d9fee34473a1dca819a5d0f498096e0a5dd4118c736caec11db94.exe

Filesize
2.9MB

MD5
303221fe0edc9655074fc2945f50a653

SHA1
91ef3391a8b9f55e53f44b8b48ceac290ce96999

SHA256
2ec1434d5864a27a3c0130e381a83f2ce3657ebd846ee8e7383764dd37d49ca6

SHA512
e179ee077e0330ef10818dfeb2ba7f8999ec09e6caa542e996c47c5e039df3d0c172bfabfe4fe84a49441078c9699255c9705c00c5d5f11e5377ccf06107ae93

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.Generic-46ce17ebe942098bfb7e6e152bf89cff4334479f33f00d6f25ea3be4ba367304.exe

Filesize
3.2MB

MD5
9c3b6d5ecfc568c7607189da6f90ee6b

SHA1
3beb88c4f0b37219019763e4cea16ffa2e0d5c1e

SHA256
da31109d9ca5fcf9b9df7a891d18954ba2a001afdfd67f3104d92523ff3547b4

SHA512
83c054a636f9f6d859e618287f2a8747aa044e83f203948eae5c9f38893766a9cbaf40c6bfe8aa3fb632126824992462e87f9fae1e4813c5e50e92dde5e495bd

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.Generic-49921fa466e1dc65ea6c037726015a69c634fc1631a2e379bfb3d7cf7644bcad.exe

Filesize
1.3MB

MD5
2b443b9f1892f8df3a3e8798dcf2ff5d

SHA1
a8e57b02b38cd8a5d2f1d9e95a45b6d31ce71596

SHA256
4ec0077a8052a8879f54d7f7015bde937a5d28a7ccc46488587b5a2eccbe6647

SHA512
729efa43ed59d2e1aad19d347af6f70900b7f23e39b7a9e48950b2920147cfd1c95dc3c827d585206c4e279f08a68e8b68473887a599032dc433a0634c4d4293

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.Generic-597828b66ff6765f49f095b0261ce0063db905e9023320ee67a87ef23b6b890b.exe

Filesize
3.1MB

MD5
f4a99490add3631f5d83e7a0c04ae53c

SHA1
559bab9379c9734acccef651c1e580e13732a530

SHA256
da3fadceb05a910e0a7ed1ace9673b3e1d20f0c1da9907aa6df9598a8213815d

SHA512
cf9dfbee7ae0b59ffa017e903c9f40ac7c66ee28c74fd6e6b01388b2b96350e904ca0e2019981cd510ac10271d81cef8dc81cccecb8faa62f8d17d15fd5be4db

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.Generic-9952e1a0dab320a2a2a3f9f96fe72b5972db128d6c0f7595682d70cd5acb888d.exe

Filesize
62KB

MD5
99e8764b91321cf271d2146ebeb1e7d1

SHA1
a5a387c61c4187dc63449605d107a02ac2b0bbb6

SHA256
cdffd2c3f20202d66f17ddcf6cdb8bf8eb0620c477a35ca565ea526c7539c289

SHA512
b71e0f6add7fb926af902f4f62bbd9ec93ba80d84104b9917535fc26670cd7681bb85c3de3760351b61a848cd934f9218537326ba2f53b6fc0c82d03108fe78e

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.Generic-999c2b050ed234488c1cc12ac16a90fdb4dc1ed994baafaa2c09c0652cd549e8.exe

Filesize
280KB

MD5
782d928b52e53576f4186873fd513b03

SHA1
c6c2b66609fdd4ecffe67f1c0c38accd9742cafe

SHA256
020b1108988055464c54b1ae900d934b053319d05a34b8ec138adbb8a8a77b44

SHA512
8abc2dfacfff68ad4afa24bb362f9e155cdb86ac253fcee3f75e2f2b2c7ce2ca8a4faf703f5cf7024ade0645d96c32f739cf02e8420a77725fa30437247b22b2

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.Generic-cd5ac8465d473b7e579d9f4b679bbd9370cbb82e848173e361af96c2aad93bd7.exe

Filesize
2.9MB

MD5
d281899359b30762903340308ef313d1

SHA1
691e58701f739dfa6815734f99c67a8c6bf93986

SHA256
b4f0fa784045ed5fe1774323a61d2bc32a6340ea13ddbbc79027fae813994278

SHA512
335a1ec3b46040668cc75a00cbe4e72e33b708c49fef157377124c0d659c1c5ec47ed7c8d94a1c6c01a562a857f87d9f28a049ac664ee91e27a0beea2128ded0

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.Generic-f8ddbe21f2c4f5c005c558932e599a0acd186279ac165db21dce053f1c4d2243.exe

Filesize
60KB

MD5
d1923989646d76413fa18b30d490d27d

SHA1
e259492a7981d96bf49c1ed0bfa64ab299a0d7a6

SHA256
d2dbc7923fe180a14a1d03d465a04b1bdce24f456e35985283464340d080c8cd

SHA512
05af5823a90dc83e99f2496af1d72fa248d3d05c4406b2195e70b7492605f8bdce3c544a5e2795b704a59aef9ea6c7e7cf729496ba07870ad4cff82a1fa86f3a

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-784114ebb31e2f4efe5a5af89d2f4d7bcd5bdb7aa6e94aabd1b91fe217be8382.exe

Filesize
1.3MB

MD5
d627ad09854369f007f16ba590e702b4

SHA1
ab582c10adeb3e8795b299bf11eeae1f8f8bdaac

SHA256
1a42b682968cf8c0382efc31c557f7c89acdd18aae8a2bd6689f1265601612b7

SHA512
c5a94d7aebf5aa4217560746bcd8341d66d8ecf7b713b3d45dbc9fb4fbb0a425af6496ac25cf0c0dc6934b8a47e7e2b6265d4b58f21ba2d23a61c6aa7462a18d

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.Scatter.gen-23fdb252d710e1cdf399244939a1d3624e351f7ee85c3c7caccc3f5dc9f85850.exe

Filesize
198KB

MD5
394538b0cdf350a22d54ed1fa3f2b677

SHA1
344a0078b1156dcfe5f9185a9619f7e1d9a03121

SHA256
f409710e464a5eacddd6e797d064602bf02f9668599d8bf17e202c3a76aaab6d

SHA512
28d5f3de4132d0886209d6ed2f2a984bcc2eb3e49d4aa33bf66bff256af5c7defbd3da8912ae6e88a6acf9c999de22887ef5871fda37c3a5c64cfb85cdc8eef0

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.Sodin.vho-de20c90de7becbb2f8b92ac42d71a3db3db498472746d0d6f53c368dadba44b0.exe

Filesize
122KB

MD5
05f4a209d76ddf889f6a1cd9ef0eaadd

SHA1
5cd4531a07dcb77435e11af80474c35ca11d7a56

SHA256
122fb22c0ee6488fc418089b18521ad56bb8458260eebd8bb38ff990ac090095

SHA512
60651a7601ff2433affe47c96bd4ce2dbd762c4f65052254feb4536a3abb32c5ca83cb8e6ea50cb327b6ee09ec00664a2cab6eb923a781ff2b2c97a2d68f37ca

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.Stop.gen-63dcb59bb6b26c827bf49d150e3830401cb4c7389ddb3ac96dfe179381c7db70.exe

Filesize
4.4MB

MD5
7fedca688fe409716272a2a1eec6a2ae

SHA1
96e287073d75aea43725e9487eafbb0552aa41cb

SHA256
89940d8ee8d5bcc2dc45dcb976f75cdd2b38b11b124d0da4a6f190389483c8bc

SHA512
aba25f141502b98046111c2fa12c22cdb6271c28077ca90ff5232b11783cd7789aead087a6cc2afe9e55b77f7718bd3ceb1c416d684289c2b724627f69fd549b

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.Stop.gen-dd9521c2cff23e51edd57fd044dfaea21e5d79165f8190c7980cc4da75958bd4.exe

Filesize
847KB

MD5
32d72c353932edb3d0c67e99ac6fcf7e

SHA1
16415de2c93e7d4e029fff1a94d8f042c23b961c

SHA256
59b3edf8d4c3925e24794b3f0b1a7815ccf58147e597aac2ee87fe10e5caf6fc

SHA512
bbcbab45a2943b39b2fb5d95a80d8f86514ed47d414788223616f14c3607fd7cf1a0b8948c7e66f57c645789a4cdca504995de6a312ee0d71f5d85c42702ba39

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan-Ransom.Win32.SuspFile.vho-a4d9cf67d111b79da9cb4b366400fc3ba1d5f41f71d48ca9c8bb101cb4596327.exe

Filesize
3.0MB

MD5
e9a2337d2d53c00646ec41d9667876d6

SHA1
605b94e38163d1a80e1cee259ea2aaf3c736d439

SHA256
b719b493fef51e64cdad8602980fa671712adc632a146a7a84d09f1fcb828997

SHA512
5c3b497bca706572aab8a29135c93bc11209decfcdc42d671683a69b1683572c0eddccd0df6d5729a746780bb416ee8b3a83c8c7a3ec9880997dcce3092aabbd

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan.MSIL.Crypt.gen-0b284e4b0f1f90f8435bef1c4280cb4e60111734566bccc83f009b13673870b5.exe

Filesize
911KB

MD5
f3fb4c01fd91e2b2806d2e3d32a5564d

SHA1
8c53f5fffe7733b17777a31b80e78b278a7368fa

SHA256
69119a2225ac722369ec972eec36b9ff433c5c1b741295ced7f22c760cdf56e6

SHA512
e891dde1fb315ee2841865a563ab71e4748fb861f644e9887150444ee0fae799564ec64aebc40fa55b75fc160ad55daf590fcb8330ea4c3c8e1a5b816c411acb

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan.MSIL.Crypt.gen-11c2b28efa824f16ea742d3ae847e8d936ca51ef9c73bf0c522a4fa2780b417a.exe

Filesize
644KB

MD5
93737185312dc03f1d721fb9b340f66f

SHA1
90b257e38e61e9e70aa7435f77619f4f7b32b861

SHA256
dce80ee4bbeb8898f2f827423d0701efd91e9d8636437b6a3b0007563e33a6c5

SHA512
6981bb98a5babcd375103e08f767614e03d5ce725c35c4a5e0ebb346efcaf4d30b32ac7d4341d19d49b21ed8d6b3dac4032941843a575e6ec5916f6ad8fe055d

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan.MSIL.Crypt.gen-141f300d0b17a987f993445419fa39c07b08e1efd92d44821bbae2f43ba0cfa9.exe

Filesize
103KB

MD5
854c3a424c51a12050900803ddb068de

SHA1
f28552f1e8348d9ff3f74867b03bd960b754e37d

SHA256
3b9627f2702dbe644cc9a783f5505eb3b01d6282a1fe4656e14d602911c34595

SHA512
31abef1b8e2f27051341d8c98b34d22db9998db1af59c83f34682c70d3d572e5fe43efc56385329ece9cc9f77e3f8c5b80ea199ab0020463cafb230ed7f3663c

Download Submit
C:\Users\Admin\Desktop\00443\HEUR-Trojan.MSIL.Crypt.gen-1799110415cebaefb37d1b4cd9f153fd55c71c2863f9f08fa1bbe72d7dee54e5.exe

Filesize
131KB

MD5
600e96768f5b4724920a82434ca5b040

SHA1
4098e365c8ac13021552b7a2ba5a21aadbc2d57d

SHA256
a3a3d306f262558c765baace902ca76c3dea4b2ec4326aa88597a6816e9821dc

SHA512
f9bbd49277e9636d3522997098750c0d03d3e07b94855e1b48c5e2da4ddc5efa395c078a548ddd6606bcacf1583d74243ed7c8b29fd501d6efcfc273d2e3f86d

Download Submit
C:\Users\Admin\Desktop\AddInitialize.i64.cyber

Filesize
503KB

MD5
672567b054304b6d5c413fbb5c13a8a6

SHA1
c798c8536d684d5efa86a0c58959084e8d966cdb

SHA256
aad48faaa425723cf60396dcf8909eb0008d706a805ddf5c8e568808e65fc8a5

SHA512
2394360b077d750ef7fea6f1de5cc001dd2c6c0500b9a3c906589aa986c3cca160bc13b30bd1f3dea63910b303769522834dd99b5fc6b5d0f1068d0a898bd45c

Download Submit
C:\Users\Admin\Desktop\AddSelect.avi.cyber

Filesize
918KB

MD5
8613b8bfcd9d3d2cad9587733e5a004c

SHA1
4579a8386a097cf4b6cfd3bbdca802692ef4871b

SHA256
8a3cc8b3b470f1a04e11a7095607824ef96376f0df4198d1138123d2ea13ffe3

SHA512
c7dbba792f27f511665296370dbe56b7d4861cb13fe960926f8eef72c301d88634b5d911ea68b2141411a9fc5e332276aeb9e3b81526b068790239c66daf6ec5

Download Submit
C:\Users\Admin\Desktop\CloseStop.mpg

Filesize
622KB

MD5
3466b5a3bd10dcdfe53a8d3452910403

SHA1
1d70d3d7d0f99360ae7bb6028441f563e54892e0

SHA256
bc40475956a29de0949144890ada797106e21f92d052596d272fd1a22f72c40a

SHA512
040d3bc526863ba50bebafd0fe5254bd7155d657cf534746c6cdb60c7ad73a77afa0516348f5cf318de7271dffae8b167e1b78b5d109768132545baab214b6fc

Download Submit
C:\Users\Admin\Desktop\ConnectResume.raw

Filesize
888KB

MD5
11a04883e9af9834d5f661c05aec5813

SHA1
affa7f42cce20a6a4ae1a014cf761a873c16b47e

SHA256
e4a23dcbe1f804da4053fd42240b9dbd5b3819b4c4c72b42d372ef4eabe7c324

SHA512
2035359efc1ef00b5db0570bae245fb80bf940f2d7ef91dae4d4c1e1693832bb6617e6265856a94bb4a03b3bea801840462a5f443633f0a19980fc038cb65dfb

Download Submit
C:\Users\Admin\Desktop\CopyResize.wvx

Filesize
414KB

MD5
3fe4d019fc48e98f3e666395a69c969c

SHA1
53984f6d5f1794907ad028c78d81bd0d9aabc474

SHA256
c60a8c1b0e51f777c9f47bf29b7acbebbb06bc40bd6d9802207b538d59930514

SHA512
5ed13a3b041e872a0caa69b446a57ab997f88a2e2aed89507e64e256782cc0313edac59604fab7986db8663148bd4156c0386f6e953d4f95ea978297ad87bacd

Download Submit
C:\Users\Admin\Desktop\DisconnectCheckpoint.docx

Filesize
20KB

MD5
732e64ff308052728e4e551d459ad479

SHA1
04c7ecf135c18b95f7748478c8f448d8ee9b0d44

SHA256
e37d64aaf874662c31a21fe422f1bd573f9ed5eae64b2e1d9eb52aac6e24a126

SHA512
6390434c97f38d5da522647e2e10187c9119d2f0554f44615e7c6d17868c71783b9ede9ed6c6765ab1ff6c9671347caac0bbe1aef533ae57399ea5dd9bd2c9ee

Download Submit
memory/1660-328-0x0000025209270000-0x00000252092F6000-memory.dmp

Filesize
536KB

Download
memory/2120-340-0x0000000000460000-0x0000000000482000-memory.dmp

Filesize
136KB

Download
memory/2120-342-0x0000000005210000-0x00000000057B4000-memory.dmp

Filesize
5.6MB

Download
memory/2692-357-0x00000000008E0000-0x0000000000902000-memory.dmp

Filesize
136KB

Download
memory/2792-392-0x000000001BA70000-0x000000001BBDA000-memory.dmp

Filesize
1.4MB

Download
memory/2792-347-0x00000000004C0000-0x00000000004E8000-memory.dmp

Filesize
160KB

Download
memory/3184-338-0x0000000000360000-0x0000000000550000-memory.dmp

Filesize
1.9MB

Download
memory/4056-289-0x000001CCF83B0000-0x000001CCF83F4000-memory.dmp

Filesize
272KB

Download
memory/4056-287-0x00007FFC2BD10000-0x00007FFC2C7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4056-288-0x00007FFC2BD10000-0x00007FFC2C7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4056-311-0x00007FFC2BD10000-0x00007FFC2C7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4056-286-0x000001CCF81F0000-0x000001CCF8212000-memory.dmp

Filesize
136KB

Download
memory/4056-304-0x00007FFC2BD13000-0x00007FFC2BD15000-memory.dmp

Filesize
8KB

Download
memory/4056-290-0x000001CCF8480000-0x000001CCF84F6000-memory.dmp

Filesize
472KB

Download
memory/4056-322-0x000001CCF8440000-0x000001CCF845E000-memory.dmp

Filesize
120KB

Download
memory/4056-276-0x00007FFC2BD13000-0x00007FFC2BD15000-memory.dmp

Filesize
8KB

Download
memory/4180-505-0x000000001D220000-0x000000001D232000-memory.dmp

Filesize
72KB

Download
memory/4180-606-0x000000001BFF0000-0x000000001BFF8000-memory.dmp

Filesize
32KB

Download
memory/4228-352-0x00000000003F0000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4424-297-0x0000020D57840000-0x0000020D57841000-memory.dmp

Filesize
4KB

Download
memory/4424-302-0x0000020D57840000-0x0000020D57841000-memory.dmp

Filesize
4KB

Download
memory/4424-293-0x0000020D57840000-0x0000020D57841000-memory.dmp

Filesize
4KB

Download
memory/4424-298-0x0000020D57840000-0x0000020D57841000-memory.dmp

Filesize
4KB

Download
memory/4424-299-0x0000020D57840000-0x0000020D57841000-memory.dmp

Filesize
4KB

Download
memory/4424-300-0x0000020D57840000-0x0000020D57841000-memory.dmp

Filesize
4KB

Download
memory/4424-292-0x0000020D57840000-0x0000020D57841000-memory.dmp

Filesize
4KB

Download
memory/4424-301-0x0000020D57840000-0x0000020D57841000-memory.dmp

Filesize
4KB

Download
memory/4424-303-0x0000020D57840000-0x0000020D57841000-memory.dmp

Filesize
4KB

Download
memory/4424-291-0x0000020D57840000-0x0000020D57841000-memory.dmp

Filesize
4KB

Download
memory/4676-367-0x000002178F9C0000-0x000002178F9E6000-memory.dmp

Filesize
152KB

Download
memory/4804-355-0x0000000002ED0000-0x0000000002EDA000-memory.dmp

Filesize
40KB

Download
memory/4804-339-0x0000000000A20000-0x0000000000A6C000-memory.dmp

Filesize
304KB

Download
memory/4804-341-0x0000000005350000-0x00000000053EC000-memory.dmp

Filesize
624KB

Download
memory/4804-356-0x0000000005620000-0x0000000005676000-memory.dmp

Filesize
344KB

Download
memory/4804-346-0x00000000053F0000-0x0000000005482000-memory.dmp

Filesize
584KB

Download
memory/5092-611-0x0000017C81D50000-0x0000017C827A0000-memory.dmp

Filesize
10.3MB

Download
memory/5104-395-0x0000000000320000-0x0000000000332000-memory.dmp

Filesize
72KB

Download