teslacrypt | c7503cdbc638d4886e9b06942b9afc345f041663734963b49fb25e1577287c46

Resubmissions

08/01/2025, 10:41

250108-mrhn7swpb1 6

08/01/2025, 09:59

250108-l1h6naxmfq 10

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/01/2025, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lighthouse_teslacrypt_ransomware.mp4
Size

3.1MB
MD5

577c4a77455c945bf638349a16aa9b47
SHA1

ff9139369ebf187e64c86348132dfb5f20bd4ac9
SHA256

c7503cdbc638d4886e9b06942b9afc345f041663734963b49fb25e1577287c46
SHA512

64a5510ca8c19915c9a88a524ca12731d2cb7b672d84f9db58c0aac7e39e1d89cf50981078dbcb905fd75f259124b9aee055e2d6fc95387023345c770313283c
SSDEEP

49152:pHZUdEm4AOcOgifdrIstug5mBdNUQIAfe3o7DDeh+HAjADJEsgBUEG5o5OpaRWC3:pHZA74A9UfOCmHIRoDeCJDGVBvG5o5O0

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+kbhmr.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/2D153632C1DC9A15 2. http://tes543berda73i48fsdfsd.keratadze.at/2D153632C1DC9A15 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/2D153632C1DC9A15 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/2D153632C1DC9A15 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/2D153632C1DC9A15 http://tes543berda73i48fsdfsd.keratadze.at/2D153632C1DC9A15 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/2D153632C1DC9A15 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/2D153632C1DC9A15

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/2D153632C1DC9A15

http://tes543berda73i48fsdfsd.keratadze.at/2D153632C1DC9A15

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/2D153632C1DC9A15

http://xlowfznrg4wf7dli.ONION/2D153632C1DC9A15

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (423) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+kbhmr.html	gkxrvniwwmhb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+kbhmr.png	gkxrvniwwmhb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+kbhmr.html	gkxrvniwwmhb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+kbhmr.png	gkxrvniwwmhb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe

Executes dropped EXE 2 IoCs

pid	Process
1636	ransomware.exe
1272	gkxrvniwwmhb.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ibqeatrlnidb = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\gkxrvniwwmhb.exe\""	gkxrvniwwmhb.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
1768	certutil.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_RECOVERY_+kbhmr.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\_RECOVERY_+kbhmr.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_RECOVERY_+kbhmr.html	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\icon.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_RECOVERY_+kbhmr.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Common Files\Services\_RECOVERY_+kbhmr.html	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\_RECOVERY_+kbhmr.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\de-DE\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\_RECOVERY_+kbhmr.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\_RECOVERY_+kbhmr.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\_RECOVERY_+kbhmr.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\_RECOVERY_+kbhmr.html	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\_RECOVERY_+kbhmr.html	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\_RECOVERY_+kbhmr.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\en-US\_RECOVERY_+kbhmr.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_RECOVERY_+kbhmr.html	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\11.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\_RECOVERY_+kbhmr.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\_RECOVERY_+kbhmr.html	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_RECOVERY_+kbhmr.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_RECOVERY_+kbhmr.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\_RECOVERY_+kbhmr.html	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Half.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_RECOVERY_+kbhmr.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_RECOVERY_+kbhmr.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\_RECOVERY_+kbhmr.html	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_RECOVERY_+kbhmr.html	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_cloudy.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_RECOVERY_+kbhmr.html	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\es-ES\_RECOVERY_+kbhmr.png	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\_RECOVERY_+kbhmr.txt	gkxrvniwwmhb.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\gkxrvniwwmhb.exe	ransomware.exe
File opened for modification	C:\Windows\gkxrvniwwmhb.exe	ransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gkxrvniwwmhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B0B7BA31-CDA7-11EF-8287-5EE01BAFE073} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2628	NOTEPAD.EXE
908	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2112	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe
1272	gkxrvniwwmhb.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2112	vlc.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1272	gkxrvniwwmhb.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: 33	2112	vlc.exe
Token: SeIncBasePriorityPrivilege	2112	vlc.exe
Token: SeDebugPrivilege	1636	ransomware.exe
Token: SeDebugPrivilege	1272	gkxrvniwwmhb.exe
Token: SeIncreaseQuotaPrivilege	2964	WMIC.exe
Token: SeSecurityPrivilege	2964	WMIC.exe
Token: SeTakeOwnershipPrivilege	2964	WMIC.exe
Token: SeLoadDriverPrivilege	2964	WMIC.exe
Token: SeSystemProfilePrivilege	2964	WMIC.exe
Token: SeSystemtimePrivilege	2964	WMIC.exe
Token: SeProfSingleProcessPrivilege	2964	WMIC.exe
Token: SeIncBasePriorityPrivilege	2964	WMIC.exe
Token: SeCreatePagefilePrivilege	2964	WMIC.exe
Token: SeBackupPrivilege	2964	WMIC.exe
Token: SeRestorePrivilege	2964	WMIC.exe
Token: SeShutdownPrivilege	2964	WMIC.exe
Token: SeDebugPrivilege	2964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2964	WMIC.exe
Token: SeRemoteShutdownPrivilege	2964	WMIC.exe
Token: SeUndockPrivilege	2964	WMIC.exe
Token: SeManageVolumePrivilege	2964	WMIC.exe
Token: 33	2964	WMIC.exe
Token: 34	2964	WMIC.exe
Token: 35	2964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2964	WMIC.exe
Token: SeSecurityPrivilege	2964	WMIC.exe
Token: SeTakeOwnershipPrivilege	2964	WMIC.exe
Token: SeLoadDriverPrivilege	2964	WMIC.exe
Token: SeSystemProfilePrivilege	2964	WMIC.exe
Token: SeSystemtimePrivilege	2964	WMIC.exe
Token: SeProfSingleProcessPrivilege	2964	WMIC.exe
Token: SeIncBasePriorityPrivilege	2964	WMIC.exe
Token: SeCreatePagefilePrivilege	2964	WMIC.exe
Token: SeBackupPrivilege	2964	WMIC.exe
Token: SeRestorePrivilege	2964	WMIC.exe
Token: SeShutdownPrivilege	2964	WMIC.exe
Token: SeDebugPrivilege	2964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2964	WMIC.exe
Token: SeRemoteShutdownPrivilege	2964	WMIC.exe
Token: SeUndockPrivilege	2964	WMIC.exe
Token: SeManageVolumePrivilege	2964	WMIC.exe
Token: 33	2964	WMIC.exe
Token: 34	2964	WMIC.exe
Token: 35	2964	WMIC.exe
Token: SeBackupPrivilege	2760	vssvc.exe
Token: SeRestorePrivilege	2760	vssvc.exe
Token: SeAuditPrivilege	2760	vssvc.exe
Token: SeShutdownPrivilege	1332	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe
2112	vlc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2112	vlc.exe
1744	iexplore.exe
1744	iexplore.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1768	1544	cmd.exe	34
PID 1544 wrote to memory of 1768	1544	cmd.exe	34
PID 1544 wrote to memory of 1768	1544	cmd.exe	34
PID 1636 wrote to memory of 1272	1636	ransomware.exe	37
PID 1636 wrote to memory of 1272	1636	ransomware.exe	37
PID 1636 wrote to memory of 1272	1636	ransomware.exe	37
PID 1636 wrote to memory of 1272	1636	ransomware.exe	37
PID 1636 wrote to memory of 884	1636	ransomware.exe	38
PID 1636 wrote to memory of 884	1636	ransomware.exe	38
PID 1636 wrote to memory of 884	1636	ransomware.exe	38
PID 1636 wrote to memory of 884	1636	ransomware.exe	38
PID 1272 wrote to memory of 2964	1272	gkxrvniwwmhb.exe	40
PID 1272 wrote to memory of 2964	1272	gkxrvniwwmhb.exe	40
PID 1272 wrote to memory of 2964	1272	gkxrvniwwmhb.exe	40
PID 1272 wrote to memory of 2964	1272	gkxrvniwwmhb.exe	40
PID 1204 wrote to memory of 1332	1204	chrome.exe	50
PID 1204 wrote to memory of 1332	1204	chrome.exe	50
PID 1204 wrote to memory of 1332	1204	chrome.exe	50
PID 1272 wrote to memory of 2628	1272	gkxrvniwwmhb.exe	54
PID 1272 wrote to memory of 2628	1272	gkxrvniwwmhb.exe	54
PID 1272 wrote to memory of 2628	1272	gkxrvniwwmhb.exe	54
PID 1272 wrote to memory of 2628	1272	gkxrvniwwmhb.exe	54
PID 1272 wrote to memory of 1744	1272	gkxrvniwwmhb.exe	55
PID 1272 wrote to memory of 1744	1272	gkxrvniwwmhb.exe	55
PID 1272 wrote to memory of 1744	1272	gkxrvniwwmhb.exe	55
PID 1272 wrote to memory of 1744	1272	gkxrvniwwmhb.exe	55
PID 1744 wrote to memory of 1408	1744	iexplore.exe	57
PID 1744 wrote to memory of 1408	1744	iexplore.exe	57
PID 1744 wrote to memory of 1408	1744	iexplore.exe	57
PID 1744 wrote to memory of 1408	1744	iexplore.exe	57
PID 1272 wrote to memory of 1568	1272	gkxrvniwwmhb.exe	58
PID 1272 wrote to memory of 1568	1272	gkxrvniwwmhb.exe	58
PID 1272 wrote to memory of 1568	1272	gkxrvniwwmhb.exe	58
PID 1272 wrote to memory of 1568	1272	gkxrvniwwmhb.exe	58

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gkxrvniwwmhb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	gkxrvniwwmhb.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\lighthouse_teslacrypt_ransomware.mp4"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\system32\certutil.exe
  certutil -decode lighthouse_teslacrypt_ransomware.mp4 ransomware.exe
  2⤵
  - Deobfuscate/Decode Files or Information
  PID:1768

C:\Users\Admin\AppData\Local\Temp\ransomware.exe
"C:\Users\Admin\AppData\Local\Temp\ransomware.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\gkxrvniwwmhb.exe
  C:\Windows\gkxrvniwwmhb.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1272
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:2628
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1744 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:1408
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\RANSOM~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:884

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4c39758,0x7fef4c39768,0x7fef4c39778
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1332

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\jusched.log
1⤵
- Opens file in notepad (likely ransom note)
PID:908

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+kbhmr.html

Filesize
11KB

MD5
b70b5e8ef0ddc6871bb74e14b48f9103

SHA1
2d2ebd2de8a4567747e031042a1b828c8acb2491

SHA256
c8f129824d7d65e00315b96b483c17de426568227a17d926f98f093d61e16f24

SHA512
1a00f27c9ad59d84f611ce6a69c4e7ec9cd4cc22ca470c24acd2c138ef84ccb06339df136fe4bbcc71fd60b321413c64666d73ddd1d9d922af305ea9645c0fad

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+kbhmr.png

Filesize
62KB

MD5
374578870a017489a1812785ac8593f6

SHA1
8b4adcba2feca1607fb70b0f52dba0f9a8d52fed

SHA256
495ebc482f5baa27645efff5d8baf8441db7ca2af0f4e531ff1d63414067ea16

SHA512
c3de4700ad6c5280dbc8e7331408f0c787cb59ff820b5ff79f0f7d86d9b6406f3f3c82074545083ca31551ce026a583d59f8640f822ee4e0573674c8560f406a

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+kbhmr.txt

Filesize
1KB

MD5
d99d4031c82813f9ea660db89d012de8

SHA1
1d8925232f0fa712ebef215bc8ed925e68a526b0

SHA256
d2e6ccc2b9578be0dc7404641341ed53f33a481b7f14c74f49a220abd487a70e

SHA512
c0d5f10f04935c8d84457850360e0174fff7870ec5d266abcc3274be5a3728179efa2bcdcebd4cd4ed022a7ff66b8a9d5e837c596e38f2cd5b1dcbeb01cfc316

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
f0cb0847c9f7250d86a52fb5d17ebd1b

SHA1
5c1dbb0c530f4087356dba12110a0a9b37a2a1bb

SHA256
86d62f46fd7c9bb35a4eb2ff980b3e9b0d40afcbdfef180c9ec759bc4e0186ab

SHA512
d03c2c49b4bb87c09e2ca3c034ffaa836663d63d9e0e74bc91dcac8ae342f6de9ab4ed641e2675ba27d2d055ae6d66210415292e8f263bdab8f6db5e5435280d

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
ef13eab8436545de6c87accdc719bb5c

SHA1
11a20c6228746704b76bbd5f32eda17683bf1ed9

SHA256
dd98a957e21b55b2ca8159c12bea39a8697dd0d0eabcb288b28607111d55366e

SHA512
7d69e92c10c1d24720a746ad2172f5d0dce27e48ae196e1f7cd6fcb06600ce1ef41e7773b1860d61ee90bc83389741810cf2d52312cc01140e09fa25a7debfbb

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
ecd245f7e4cb0bd65c6ff08a5bdc127c

SHA1
aad8f27c72264d1bfef0289db85edbd68466b325

SHA256
18be83e7e5344adffef6059071a63aca3832d64a468930c5567e19448ba4b479

SHA512
4b865bea3b262427ee79894616c6ec8b03fdff134c6056c455900d42021af1eddb3bf1a9849cb1cba68d17a5aaedce4b7e68003d403db3cdd6973ebfaf08f51f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\14c94bed-1f43-4a48-8b04-fc6c35f3598d.dmp

Filesize
163KB

MD5
d1223564d9754037caa23570ccf76c5e

SHA1
0c7cb100880a5711a2e38e4cf44bc3b02dbf3d97

SHA256
b8f50a40958de12170ca8577b9429982cbbfbfb239203f9cb7212d39b35d99a7

SHA512
89f5a8e373731decb0197bc0510b2c4ce491dafd7da6a5f8a5e870c8f42a1b4f458161a99834d7454884fdebfe015df37620ff4f0c254f1c9335f38d649b8625

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
44691fdf709576c5467bd86b9d95cecb

SHA1
9c0e49c662f20cdd89217f1bb4b4ba701e659697

SHA256
bbeef7deae86cbdb634c26982101647e319bb03dce941d124f0ab0edc8a76de9

SHA512
e52fb7f7091ed7a21944c629081fa5069f47fc076911101e20fdcc183c35b7b460fbbfac56f1f91052b1d35a35e66ce2dafce70349ed34ca6f16ba1e1f1fabdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ransomware.exe

Filesize
316KB

MD5
1f9d9c8b17bc4e6ab42217e4ca879273

SHA1
ebbaefabffef6eac50f8c52c84a51cb7442ecaea

SHA256
c2f389b2ee29d7b7d23ba7f1d248b0e9fc9d8c8a60e77cd75b6bd8dd2b38db00

SHA512
9ff77d473a0cbaee33d576aea49cfde04946353c2334d18587ee732c90eb656eef35485996934385b32f94729999c6f2bf83ae572541f4adb56f4659cc9c848e

Download Submit
memory/1272-2036-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1636-209-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1636-206-0x00000000004A0000-0x000000000053F000-memory.dmp

Filesize
636KB

Download
memory/1636-198-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2112-36-0x000007FEF2FF0000-0x000007FEF3032000-memory.dmp

Filesize
264KB

Download
memory/2112-43-0x000007FEF29F0000-0x000007FEF2A32000-memory.dmp

Filesize
264KB

Download
memory/2112-15-0x000007FEF6DD0000-0x000007FEF6DE1000-memory.dmp

Filesize
68KB

Download
memory/2112-16-0x000007FEF6BC0000-0x000007FEF6C01000-memory.dmp

Filesize
260KB

Download
memory/2112-17-0x000007FEF6780000-0x000007FEF67A1000-memory.dmp

Filesize
132KB

Download
memory/2112-18-0x000007FEF6BA0000-0x000007FEF6BB8000-memory.dmp

Filesize
96KB

Download
memory/2112-19-0x000007FEF6760000-0x000007FEF6771000-memory.dmp

Filesize
68KB

Download
memory/2112-20-0x000007FEF6740000-0x000007FEF6751000-memory.dmp

Filesize
68KB

Download
memory/2112-21-0x000007FEF65A0000-0x000007FEF65B1000-memory.dmp

Filesize
68KB

Download
memory/2112-22-0x000007FEF6580000-0x000007FEF659B000-memory.dmp

Filesize
108KB

Download
memory/2112-23-0x000007FEF6560000-0x000007FEF6571000-memory.dmp

Filesize
68KB

Download
memory/2112-24-0x000007FEF64C0000-0x000007FEF64D8000-memory.dmp

Filesize
96KB

Download
memory/2112-25-0x000007FEF6490000-0x000007FEF64C0000-memory.dmp

Filesize
192KB

Download
memory/2112-27-0x000007FEF6420000-0x000007FEF6487000-memory.dmp

Filesize
412KB

Download
memory/2112-28-0x000007FEF4CC0000-0x000007FEF4D3C000-memory.dmp

Filesize
496KB

Download
memory/2112-29-0x000007FEF6400000-0x000007FEF6411000-memory.dmp

Filesize
68KB

Download
memory/2112-30-0x000007FEF4C60000-0x000007FEF4CB7000-memory.dmp

Filesize
348KB

Download
memory/2112-31-0x000007FEF4AE0000-0x000007FEF4C60000-memory.dmp

Filesize
1.5MB

Download
memory/2112-32-0x000007FEF63E0000-0x000007FEF63F7000-memory.dmp

Filesize
92KB

Download
memory/2112-26-0x000007FEF4D40000-0x000007FEF5DF0000-memory.dmp

Filesize
16.7MB

Download
memory/2112-38-0x000007FEF71F0000-0x000007FEF7200000-memory.dmp

Filesize
64KB

Download
memory/2112-40-0x000007FEF2B30000-0x000007FEF2B41000-memory.dmp

Filesize
68KB

Download
memory/2112-34-0x000007FEF3060000-0x000007FEF3266000-memory.dmp

Filesize
2.0MB

Download
memory/2112-7-0x000007FEF6000000-0x000007FEF62B6000-memory.dmp

Filesize
2.7MB

Download
memory/2112-39-0x000007FEF2B50000-0x000007FEF2B7F000-memory.dmp

Filesize
188KB

Download
memory/2112-41-0x000007FEF2B10000-0x000007FEF2B26000-memory.dmp

Filesize
88KB

Download
memory/2112-37-0x000007FEF2FA0000-0x000007FEF2FED000-memory.dmp

Filesize
308KB

Download
memory/2112-42-0x000007FEF2A40000-0x000007FEF2B05000-memory.dmp

Filesize
788KB

Download
memory/2112-35-0x000007FEF3040000-0x000007FEF3052000-memory.dmp

Filesize
72KB

Download
memory/2112-14-0x000007FEF5DF0000-0x000007FEF5FFB000-memory.dmp

Filesize
2.0MB

Download
memory/2112-44-0x000007FEF2980000-0x000007FEF29E2000-memory.dmp

Filesize
392KB

Download
memory/2112-45-0x000007FEF2910000-0x000007FEF297D000-memory.dmp

Filesize
436KB

Download
memory/2112-46-0x000007FEF28F0000-0x000007FEF2903000-memory.dmp

Filesize
76KB

Download
memory/2112-47-0x000007FEF28D0000-0x000007FEF28E4000-memory.dmp

Filesize
80KB

Download
memory/2112-48-0x000007FEF2880000-0x000007FEF28D0000-memory.dmp

Filesize
320KB

Download
memory/2112-49-0x000007FEF2860000-0x000007FEF2875000-memory.dmp

Filesize
84KB

Download
memory/2112-50-0x000007FEF25B0000-0x000007FEF2860000-memory.dmp

Filesize
2.7MB

Download
memory/2112-54-0x000007FEF2500000-0x000007FEF2512000-memory.dmp

Filesize
72KB

Download
memory/2112-55-0x000007FEF24E0000-0x000007FEF24F3000-memory.dmp

Filesize
76KB

Download
memory/2112-53-0x000007FEF2520000-0x000007FEF2531000-memory.dmp

Filesize
68KB

Download
memory/2112-52-0x000007FEF2540000-0x000007FEF2563000-memory.dmp

Filesize
140KB

Download
memory/2112-51-0x000007FEF2590000-0x000007FEF25A5000-memory.dmp

Filesize
84KB

Download
memory/2112-56-0x000007FEF2360000-0x000007FEF24DA000-memory.dmp

Filesize
1.5MB

Download
memory/2112-57-0x000007FEF2030000-0x000007FEF2041000-memory.dmp

Filesize
68KB

Download
memory/2112-58-0x000007FEF1FC0000-0x000007FEF2021000-memory.dmp

Filesize
388KB

Download
memory/2112-59-0x000007FEF1F70000-0x000007FEF1FB7000-memory.dmp

Filesize
284KB

Download
memory/2112-60-0x000007FEF1EF0000-0x000007FEF1F64000-memory.dmp

Filesize
464KB

Download
memory/2112-13-0x000007FEF7200000-0x000007FEF721D000-memory.dmp

Filesize
116KB

Download
memory/2112-12-0x000007FEF7220000-0x000007FEF7231000-memory.dmp

Filesize
68KB

Download
memory/2112-11-0x000007FEF7240000-0x000007FEF7257000-memory.dmp

Filesize
92KB

Download
memory/2112-9-0x000007FEFA8A0000-0x000007FEFA8B7000-memory.dmp

Filesize
92KB

Download
memory/2112-10-0x000007FEF7260000-0x000007FEF7271000-memory.dmp

Filesize
68KB

Download
memory/2112-8-0x000007FEFB5A0000-0x000007FEFB5B8000-memory.dmp

Filesize
96KB

Download
memory/2112-5-0x000000013F210000-0x000000013F308000-memory.dmp

Filesize
992KB

Download
memory/2112-6-0x000007FEF7280000-0x000007FEF72B4000-memory.dmp

Filesize
208KB

Download
memory/2112-61-0x000007FEF1D80000-0x000007FEF1D91000-memory.dmp

Filesize
68KB

Download
memory/2112-62-0x000007FEF1640000-0x000007FEF168E000-memory.dmp

Filesize
312KB

Download
memory/2112-64-0x000007FEF15A0000-0x000007FEF15D4000-memory.dmp

Filesize
208KB

Download
memory/2112-63-0x000007FEF15E0000-0x000007FEF1637000-memory.dmp

Filesize
348KB

Download
memory/2112-33-0x000007FEF3270000-0x000007FEF4ADF000-memory.dmp

Filesize
24.4MB

Download