cerber | db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa

Analysis

max time kernel
129s
max time network
131s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_270b70bad151a515136f553e5bc880ac.exe
Size

344KB
MD5

270b70bad151a515136f553e5bc880ac
SHA1

77b7def336c7647c6faadaf7136d70ff1e9ba7fc
SHA256

db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa
SHA512

c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f
SSDEEP

3072:v5sAzvcjE+lcO3zXgKRcP66BpwwB9RStc3Yfqr:v5jvc4+lcO3zQKSPfBJXv3YM

Score

10^/10

cerber defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.vmfu48.win/66FA-FA76-D1D3-0073-1239 | | 2. http://cerberhhyed5frqa.45tori.win/66FA-FA76-D1D3-0073-1239 | | 3. http://cerberhhyed5frqa.fkr84i.win/66FA-FA76-D1D3-0073-1239 | | 4. http://cerberhhyed5frqa.fkri48.win/66FA-FA76-D1D3-0073-1239 | | 5. http://cerberhhyed5frqa.djre89.win/66FA-FA76-D1D3-0073-1239 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.vmfu48.win/66FA-FA76-D1D3-0073-1239); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.vmfu48.win/66FA-FA76-D1D3-0073-1239 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.vmfu48.win/66FA-FA76-D1D3-0073-1239); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/66FA-FA76-D1D3-0073-1239 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.vmfu48.win/66FA-FA76-D1D3-0073-1239

http://cerberhhyed5frqa.45tori.win/66FA-FA76-D1D3-0073-1239

http://cerberhhyed5frqa.fkr84i.win/66FA-FA76-D1D3-0073-1239

http://cerberhhyed5frqa.fkri48.win/66FA-FA76-D1D3-0073-1239

http://cerberhhyed5frqa.djre89.win/66FA-FA76-D1D3-0073-1239

http://cerberhhyed5frqa.onion/66FA-FA76-D1D3-0073-1239

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.vmfu48.win/66FA-FA76-D1D3-0073-1239" target="_blank">http://cerberhhyed5frqa.vmfu48.win/66FA-FA76-D1D3-0073-1239</a></li> <li><a href="http://cerberhhyed5frqa.45tori.win/66FA-FA76-D1D3-0073-1239" target="_blank">http://cerberhhyed5frqa.45tori.win/66FA-FA76-D1D3-0073-1239</a></li> <li><a href="http://cerberhhyed5frqa.fkr84i.win/66FA-FA76-D1D3-0073-1239" target="_blank">http://cerberhhyed5frqa.fkr84i.win/66FA-FA76-D1D3-0073-1239</a></li> <li><a href="http://cerberhhyed5frqa.fkri48.win/66FA-FA76-D1D3-0073-1239" target="_blank">http://cerberhhyed5frqa.fkri48.win/66FA-FA76-D1D3-0073-1239</a></li> <li><a href="http://cerberhhyed5frqa.djre89.win/66FA-FA76-D1D3-0073-1239" target="_blank">http://cerberhhyed5frqa.djre89.win/66FA-FA76-D1D3-0073-1239</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.vmfu48.win/66FA-FA76-D1D3-0073-1239" target="_blank">http://cerberhhyed5frqa.vmfu48.win/66FA-FA76-D1D3-0073-1239</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.vmfu48.win/66FA-FA76-D1D3-0073-1239" target="_blank">http://cerberhhyed5frqa.vmfu48.win/66FA-FA76-D1D3-0073-1239</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.vmfu48.win/66FA-FA76-D1D3-0073-1239" target="_blank">http://cerberhhyed5frqa.vmfu48.win/66FA-FA76-D1D3-0073-1239</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/66FA-FA76-D1D3-0073-1239 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16389) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2652	bcdedit.exe
2192	bcdedit.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\cacls.exe\""	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\cacls.exe\""	cacls.exe

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cacls.lnk	VirusShare_270b70bad151a515136f553e5bc880ac.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cacls.lnk	cacls.exe

Executes dropped EXE 1 IoCs

pid	Process
2880	cacls.exe

Loads dropped DLL 3 IoCs

pid	Process
1764	VirusShare_270b70bad151a515136f553e5bc880ac.exe
1764	VirusShare_270b70bad151a515136f553e5bc880ac.exe
2880	cacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\cacls = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\cacls.exe\""	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cacls = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\cacls.exe\""	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\cacls = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\cacls.exe\""	cacls.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cacls = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\cacls.exe\""	cacls.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cacls.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpE72.bmp"	cacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2404	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2668	taskkill.exe
1076	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\cacls.exe\""	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop	cacls.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\cacls.exe\""	cacls.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c095c1a3deb1da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000ff313bf6a0e84ac468fb228126c0e12a15bacb1ed5eed6260866cc4af822296c000000000e8000000002000020000000c956835ee8fc6c207190718d23e6bf9196b10db37a9adf2acf85f6077b7fcf3890000000ed6f02c2b7e4850cb31910f2d818ef00ecac85dd95e4544781ae8eddd7513527100b4b095035951432dfcceb7799c31b9b02f521e444701adfb229977b7f6b2d7e63b9c02bdafb9e34a404fb419b3a241b26c6bcacc40e099cb4dad91348a0af56bda3567f4b763b7f8ddbe2d26e0238ddac5284eccc4c5f2b63858e5b54e31a911c4bebe72bfe68163063f80ed2caab40000000565d49a36ea9a34de6f6b37f733e5014f84077f2e3e022e0e73fbb2e38e3f2f6f1ea8f590df4bd1f702da6f5ebce430b9efcf92811a73369a51be192e46226a1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423159140"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E1031A31-1DD1-11EF-ACD5-4635F953E0C8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E0F4D1F1-1DD1-11EF-ACD5-4635F953E0C8} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000009f6e3b1de45fa982e07e7a6a1baaa24d48472d2c51e19a6133ebe74ba9f73fd9000000000e80000000020000200000008d1173db11b1a4e18a6e486196d0a5c79f69cb3e50e3ea4ce03ae039693902d7200000007e28cfb2b929e0a69d00cb90c7bfe00514807d2fc8db2b24b0b3cf5c23271e5840000000a801dfd629ec2312a5b933cb78a536352681e3130ae494d81e559db0868b8b8d421608b60e7972606e77c4b4971c9ccd29b14f70cdcb24a7d23f38ee1ad46b8c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2980	PING.EXE
2104	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe
2880	cacls.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	1764	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Token: SeDebugPrivilege	2880	cacls.exe
Token: SeBackupPrivilege	2476	vssvc.exe
Token: SeRestorePrivilege	2476	vssvc.exe
Token: SeAuditPrivilege	2476	vssvc.exe
Token: SeDebugPrivilege	2668	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1664	wmic.exe
Token: SeSecurityPrivilege	1664	wmic.exe
Token: SeTakeOwnershipPrivilege	1664	wmic.exe
Token: SeLoadDriverPrivilege	1664	wmic.exe
Token: SeSystemProfilePrivilege	1664	wmic.exe
Token: SeSystemtimePrivilege	1664	wmic.exe
Token: SeProfSingleProcessPrivilege	1664	wmic.exe
Token: SeIncBasePriorityPrivilege	1664	wmic.exe
Token: SeCreatePagefilePrivilege	1664	wmic.exe
Token: SeBackupPrivilege	1664	wmic.exe
Token: SeRestorePrivilege	1664	wmic.exe
Token: SeShutdownPrivilege	1664	wmic.exe
Token: SeDebugPrivilege	1664	wmic.exe
Token: SeSystemEnvironmentPrivilege	1664	wmic.exe
Token: SeRemoteShutdownPrivilege	1664	wmic.exe
Token: SeUndockPrivilege	1664	wmic.exe
Token: SeManageVolumePrivilege	1664	wmic.exe
Token: 33	1664	wmic.exe
Token: 34	1664	wmic.exe
Token: 35	1664	wmic.exe
Token: SeIncreaseQuotaPrivilege	1664	wmic.exe
Token: SeSecurityPrivilege	1664	wmic.exe
Token: SeTakeOwnershipPrivilege	1664	wmic.exe
Token: SeLoadDriverPrivilege	1664	wmic.exe
Token: SeSystemProfilePrivilege	1664	wmic.exe
Token: SeSystemtimePrivilege	1664	wmic.exe
Token: SeProfSingleProcessPrivilege	1664	wmic.exe
Token: SeIncBasePriorityPrivilege	1664	wmic.exe
Token: SeCreatePagefilePrivilege	1664	wmic.exe
Token: SeBackupPrivilege	1664	wmic.exe
Token: SeRestorePrivilege	1664	wmic.exe
Token: SeShutdownPrivilege	1664	wmic.exe
Token: SeDebugPrivilege	1664	wmic.exe
Token: SeSystemEnvironmentPrivilege	1664	wmic.exe
Token: SeRemoteShutdownPrivilege	1664	wmic.exe
Token: SeUndockPrivilege	1664	wmic.exe
Token: SeManageVolumePrivilege	1664	wmic.exe
Token: 33	1664	wmic.exe
Token: 34	1664	wmic.exe
Token: 35	1664	wmic.exe
Token: SeDebugPrivilege	1076	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1588	iexplore.exe
1588	iexplore.exe
2224	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1588	iexplore.exe
1588	iexplore.exe
1588	iexplore.exe
1588	iexplore.exe
2940	IEXPLORE.EXE
2940	IEXPLORE.EXE
2224	iexplore.exe
2224	iexplore.exe
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1764	VirusShare_270b70bad151a515136f553e5bc880ac.exe
2880	cacls.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2880	1764	VirusShare_270b70bad151a515136f553e5bc880ac.exe	29
PID 1764 wrote to memory of 2880	1764	VirusShare_270b70bad151a515136f553e5bc880ac.exe	29
PID 1764 wrote to memory of 2880	1764	VirusShare_270b70bad151a515136f553e5bc880ac.exe	29
PID 1764 wrote to memory of 2880	1764	VirusShare_270b70bad151a515136f553e5bc880ac.exe	29
PID 1764 wrote to memory of 2744	1764	VirusShare_270b70bad151a515136f553e5bc880ac.exe	30
PID 1764 wrote to memory of 2744	1764	VirusShare_270b70bad151a515136f553e5bc880ac.exe	30
PID 1764 wrote to memory of 2744	1764	VirusShare_270b70bad151a515136f553e5bc880ac.exe	30
PID 1764 wrote to memory of 2744	1764	VirusShare_270b70bad151a515136f553e5bc880ac.exe	30
PID 2880 wrote to memory of 2404	2880	cacls.exe	31
PID 2880 wrote to memory of 2404	2880	cacls.exe	31
PID 2880 wrote to memory of 2404	2880	cacls.exe	31
PID 2880 wrote to memory of 2404	2880	cacls.exe	31
PID 2744 wrote to memory of 2668	2744	cmd.exe	34
PID 2744 wrote to memory of 2668	2744	cmd.exe	34
PID 2744 wrote to memory of 2668	2744	cmd.exe	34
PID 2744 wrote to memory of 2668	2744	cmd.exe	34
PID 2744 wrote to memory of 2980	2744	cmd.exe	37
PID 2744 wrote to memory of 2980	2744	cmd.exe	37
PID 2744 wrote to memory of 2980	2744	cmd.exe	37
PID 2744 wrote to memory of 2980	2744	cmd.exe	37
PID 2880 wrote to memory of 1664	2880	cacls.exe	38
PID 2880 wrote to memory of 1664	2880	cacls.exe	38
PID 2880 wrote to memory of 1664	2880	cacls.exe	38
PID 2880 wrote to memory of 1664	2880	cacls.exe	38
PID 2880 wrote to memory of 2652	2880	cacls.exe	40
PID 2880 wrote to memory of 2652	2880	cacls.exe	40
PID 2880 wrote to memory of 2652	2880	cacls.exe	40
PID 2880 wrote to memory of 2652	2880	cacls.exe	40
PID 2880 wrote to memory of 2192	2880	cacls.exe	42
PID 2880 wrote to memory of 2192	2880	cacls.exe	42
PID 2880 wrote to memory of 2192	2880	cacls.exe	42
PID 2880 wrote to memory of 2192	2880	cacls.exe	42
PID 2880 wrote to memory of 1588	2880	cacls.exe	47
PID 2880 wrote to memory of 1588	2880	cacls.exe	47
PID 2880 wrote to memory of 1588	2880	cacls.exe	47
PID 2880 wrote to memory of 1588	2880	cacls.exe	47
PID 2880 wrote to memory of 2148	2880	cacls.exe	48
PID 2880 wrote to memory of 2148	2880	cacls.exe	48
PID 2880 wrote to memory of 2148	2880	cacls.exe	48
PID 2880 wrote to memory of 2148	2880	cacls.exe	48
PID 1588 wrote to memory of 2940	1588	iexplore.exe	50
PID 1588 wrote to memory of 2940	1588	iexplore.exe	50
PID 1588 wrote to memory of 2940	1588	iexplore.exe	50
PID 1588 wrote to memory of 2940	1588	iexplore.exe	50
PID 1588 wrote to memory of 2332	1588	iexplore.exe	51
PID 1588 wrote to memory of 2332	1588	iexplore.exe	51
PID 1588 wrote to memory of 2332	1588	iexplore.exe	51
PID 1588 wrote to memory of 2332	1588	iexplore.exe	51
PID 2224 wrote to memory of 1672	2224	iexplore.exe	52
PID 2224 wrote to memory of 1672	2224	iexplore.exe	52
PID 2224 wrote to memory of 1672	2224	iexplore.exe	52
PID 2224 wrote to memory of 1672	2224	iexplore.exe	52
PID 2880 wrote to memory of 1560	2880	cacls.exe	53
PID 2880 wrote to memory of 1560	2880	cacls.exe	53
PID 2880 wrote to memory of 1560	2880	cacls.exe	53
PID 2880 wrote to memory of 1560	2880	cacls.exe	53
PID 2880 wrote to memory of 844	2880	cacls.exe	56
PID 2880 wrote to memory of 844	2880	cacls.exe	56
PID 2880 wrote to memory of 844	2880	cacls.exe	56
PID 2880 wrote to memory of 844	2880	cacls.exe	56
PID 844 wrote to memory of 1076	844	cmd.exe	58
PID 844 wrote to memory of 1076	844	cmd.exe	58
PID 844 wrote to memory of 1076	844	cmd.exe	58
PID 844 wrote to memory of 2104	844	cmd.exe	60

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_270b70bad151a515136f553e5bc880ac.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_270b70bad151a515136f553e5bc880ac.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\cacls.exe
  "C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\cacls.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\system32\vssadmin.exe
    "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2404
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2652
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2192
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1588 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2940
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1588 CREDAT:537601 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2332
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:2148
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:1560
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "cacls.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\cacls.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:844
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "cacls.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1076
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2104
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_270b70bad151a515136f553e5bc880ac.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_270b70bad151a515136f553e5bc880ac.exe" > NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_270b70bad151a515136f553e5bc880ac.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2224 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1672

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
3bc8ee33045b5757b018559888dfa4b6

SHA1
e93f9ff2f3a6d564c3b9a72c1b5b50e2f12af028

SHA256
ceff5b284038818065ad9290eac5962724cacc46c9fce627fbb361950c405aef

SHA512
e9b67d84626027fbaaeeebe423580d3e187316c9183c93972ad3257a496fe57ece6a9a344c107091e75cc381bf0580aa44b956c4d023ac0141d84d0a3bd14c6e

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
38dde2a37c2deda31af968b79b416514

SHA1
ed1777b00178d12bb53fdf2d645ec91b0eef64fb

SHA256
68a5d780b4199e36c882e9e8a8956774a2365618fe7bc95cf4299e8e21ff8dd2

SHA512
72b81a1dc5ed0d2f913512cf92cb6301c639953f11d7ec12ddcff3261a560be96850332b1051f2f5117d1986aa79e1cdcd3ce53ceb2a753b25f880edf6650075

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
85B

MD5
a6859c5579ee4f26f84000eb62e4b0c4

SHA1
850d4e000cb340e1b0eb2bb54749acf997f8d760

SHA256
4fee368ddfb0520ca62b655c6d6caf453b4c2053db4f3904572a3295c69229f8

SHA512
bf24188a8658ac88b624eb7eef613ed7521a1195982f0101604bdea834d51fe2d0a5b97961fa61b858de499639a700e0e19e4c9f3f106dd63e1efb8d01503aba

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
219B

MD5
35a3e3b45dcfc1e6c4fd4a160873a0d1

SHA1
a0bcc855f2b75d82cbaae3a8710f816956e94b37

SHA256
8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

SHA512
6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c110cfa8309ca0f86102a6b50a0bff30

SHA1
e36e0416a3994c546e7ec8d4749a33d3b96afbf1

SHA256
8e13c1ca12f4f48a378c7a5a096a557e6a24cdf9540dfae3b803610465cca01b

SHA512
6532b10753f4b74fdce40c795e4eb879916512fc6f728c2a923de1c753c0cd5fb3fa7bfabe94528b0bb04b3ba3f3dd6a3202aed831c562ad3bf1ebef8964254d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b78c87b33f65aed5cbcc7ca3ec5c75c5

SHA1
d4765171ff07bfc14da0c55d7058d1bd2b8e8007

SHA256
e2412bdcc3bcf25da49d69db7dff61536987e6231b96e13c4ccec3da3d0ebdf4

SHA512
6a210fff15e07b89455387a9ece4627807bafd7624a9285e879d5feb60cf73b8ee65dd8ad994285ff717f260157810a93c9fff8a076be43c79d457df35f4a183

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b641c064276649076fe70e68f1c97660

SHA1
c024eaed13207a4814df4b61f02cb532e0943d81

SHA256
3b152eef46ea251d62f6c8cb119548921f1c1e307a7138517011c20881ba65b5

SHA512
a79ffbdcd4dd93b54e7f943b016e3cea68eda38d283385e2666b06e048b47362322ac676016b60bfd4b374598158801019933815c4401b59e59f0395e72c08ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdf6d4366ddae5bd48bc366744e6f300

SHA1
76341e49338a1c85354e81874b081a502b7355c1

SHA256
18d3120de2ef7f22d3a481a48408b4b5e614b59550a565fd79889d545a83adf8

SHA512
e274f51e08f232b24b178d421a7f5b4d1eed61a0e190f4a13418e082edfa78e8b247637e4c376739afedacb4231a01e9ce2375d06e9e001b5c20112ee47e1ec9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ce8b2f4343d691fea6001828312a88c

SHA1
68073872c0e4784ff7cbd7ee499c4d84da001bde

SHA256
22da877a4b320698edd4d49c14eb623bb33ce74408858e84f501df35e5f3a585

SHA512
3c446430b026e22433dee10c857cb5b0d6cc3a2529af8400db5764c1f1f2172e56822ad8823d273e2843fd604db98e5238a9ff5fed14c509fe8b37b4287aea5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8737ad96e8b9d4d4dc08c2e5f15174a

SHA1
573a24c93030a9b06793ae11736242171c75bb8c

SHA256
92a3eece0362ff86f9cd89dfbd47bc75f128e62d0c26c5397bfc6fc8c513ec45

SHA512
7e536db1bf17556f088a1f47c1442ce9ca0d76024ec8dda5e484f77c931f4e614eba0b90cc45256fb655d73afa5da8582db2d5c255a7d7c19d45a15ef2972026

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9682eb404c871e34429c78c58db67aa3

SHA1
ad92b4c41331b82a8632946a483ca53712885ceb

SHA256
7f3045f425ce17d6ce965611a940165aee28756a51d8d9ddd19f13828ee5c7a7

SHA512
a8b608e9de00ffe87e1b118d0064794725316e8bf82649ee964a947b58493bedfd9951854f46691d4acbce43763b2079c178d14b532c56c37c17f1d01e134020

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d69e760a50c061980e3293e2171b142

SHA1
eb9c9d8858bf3a2ad38315c6fa5f3ee11682e176

SHA256
16440d3e2795f81eee4afc7c77e6a73edda968d753100125f4cb2708f651fd19

SHA512
2ba95a06e1d01447d91821e2132ff8924de5ddb6a4ffa715545d45b5385e292f7ed9f8f8d92b213737d61f16fc5d8c9caf55142bb691b5da90bd29a525206363

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e582a7a188995218b042acb84843fc13

SHA1
29e4ee9706d10fd79df3031c91b82dca0a9dc0b2

SHA256
ffccf1b696bc423b35ef3e043184132038005724bb3d4624c8d8d13b00e7fb05

SHA512
2488b243cee053c32dd4066bd42364bcf0e468a0721760e894543ff3b3045c2d0b3c8edba8b949c323d9397e482fda63668eab2f3523317977d80ba101d0b94c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b46cea70f86b3999ed2c64bc7b87ff9b

SHA1
deff73da2847cd2f23450d54f198bc975e0afd6d

SHA256
48187433eb82fefa9a11c0838acec9974800f229625e8ed3895b5e7f8d80c6dd

SHA512
90f8606c53a43132df5ebaf64a329a04fa84d685c3220b847b24b20b60934842f1012b9b8845755b784a9bcfa99753cc9c1f6ab500b2f8d52ac0177da6f63b89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd1e801efbb6e47fec02849aacd0abb4

SHA1
eb8d3f144a258c16b51cf852e945ac1a6f294c20

SHA256
e24745658a02504f2e31e13a599e79a5638797d0e7f6758cbd213c44f3f82b4f

SHA512
83fef270645f85205501999e148f8a1513e3aaee571ef359347bfa5b347b53f3d26a5ad37eb6ae953274604c072dca0fc6f3bdef831ab9269745ecd9c09c6573

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03d7ad37b51d54bdf9b29dbd15509a84

SHA1
8016f2e0cbb4f3a8f0b755ce7ea15ba2fd954d4f

SHA256
9b7ef71c0e0f15ca01d9107aa0c465369d3204711398225f15bc8de59e8f9e39

SHA512
fd3868dc39c333d597d60dc6e2e1004bbb60c6b5027e652966e9edd4b63c8a2f557f5844944da6cc0f0762aac49de61d48cdbd4a4f902f163423831369d1bc5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5048459930c1936bb1022910ece309b7

SHA1
9f5e794c81fe70dc8bf84461094861d8be20f06a

SHA256
7345922f8ffdb359bb7781f9b5dd0ddbda8eee7b449894f6423e3593fb62a43e

SHA512
d026940bd8debdc60a0338e85a62fd1cb512d6d2ae498b5620a473b1c5b96a0b5094c932f901c4c0febb7ea99d5538bf598e50aed44d70bc433f1f7ee316147d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2891ebead26d0752712135da026c6d8

SHA1
e1c1eec5571318d30fc44869c54c23f91fb9414b

SHA256
8538d0f30c4f20b08c47c4bb34715e278f44878bf892a5d8f2bb3ed693141058

SHA512
b377dd31d5d4aa9431564d67f8fc3486442e1b579bc36202f2e32a97127d3796603c9f0f361c700e643515f4e7306905d508b07c2388255e66a111072142f37c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
426458ef8912f83f05b6c96697ed1258

SHA1
522f982fd953d6e17cd86108579465afc3914e8b

SHA256
9a51de826f78855400061412d926c7a8f41f3c2e32030a959f43dff4764493ab

SHA512
2979be9e1280c2c64e9320df23eeeb65587ca3184965fe17f5857ac9efb644287e1b8e3b13066b56f5c132d8ed4d49b84532ef5d9da09c97abb1db653d627223

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98c8b83ab87a14a6a26d44a735019c98

SHA1
a70039d0fae64f3e0dfa08ac458e48208d9b7655

SHA256
0d7c8ccee1ee25cba65f83f1ee21544ea857eb22d253c6799642f461d6856e6a

SHA512
e222e999817deeb4fb3ccdce6628789a1b6af92132c9c0395991cc3d3b92ed94143a91b8b73cda2b641612e4d8b93969c427a448af7d8ca030cad7aabeda5d94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4be0edf6be095d43a05cf3e41ff3b842

SHA1
400c5b4b7d778966fadfdcc830a1136a47cefaf1

SHA256
49e1a801014b86c598f548d9547778852b875f345be6e07602711d0e1d4c3fa7

SHA512
c741106780c7924ad9a0a00bd4eea02605a9caf112ba645ad73ba99ead0648d2ad7214c630b4d8b4da340d1f2f28586f9209707ef7975b7538653417da162b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57e1c698b00950d86ca9ec58bee5d440

SHA1
f09197e4831895c88834103e326b2fe3845b27a4

SHA256
00a855cd19f0f148e6923b07645ac15ef7b252084f42cddebb14111fcc95cc8d

SHA512
a64d4562eab97a6854e85011f38bed3ece27583bf015e6bfe8f1d15db687debf8413241a35c06274727e18a3f66f49b40a77537a0ab473a2efc2312ce3cd49e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E0F4D1F1-1DD1-11EF-ACD5-4635F953E0C8}.dat

Filesize
5KB

MD5
0652403954be36304ea98775881e1563

SHA1
1bf5f8e3db6c5057bddd81749a83b97377800d50

SHA256
e837aff2b1d6b06022d29adf9f638ea5a3fc0198dfca420367b23b016da309d3

SHA512
d1d242e16aaee98fe7a157f20d5183a2858c346c1035c6929c50cbfbb6896598d5bdb2f91b4bc36edf57639d51b612dfc2f4802ede41ed946c896a78c1994984

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2520.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar25E2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cacls.lnk

Filesize
1KB

MD5
37f4fc807dfa76574dec5d8e1247b83a

SHA1
9b7708a5eaae2e4085ba4736066f9f035b9e85a1

SHA256
be4c981c23402258f68837effd2ebec8dd398edf94c3b33031d7eaa4977d6509

SHA512
6f35d4c3aa242a5dd970af58d289b9d9ca979aa9cabf573a5da3f8392cf904e58621412bd70af490b4fe107f67c12ce9b4603f84d2d35a2896f9bec89a512828

Download Submit
\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\cacls.exe

Filesize
344KB

MD5
270b70bad151a515136f553e5bc880ac

SHA1
77b7def336c7647c6faadaf7136d70ff1e9ba7fc

SHA256
db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa

SHA512
c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f

Download Submit
memory/1764-0-0x0000000000130000-0x000000000014E000-memory.dmp

Filesize
120KB

Download
memory/1764-1-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1764-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1764-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-468-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-476-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-438-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-436-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-486-0x0000000005240000-0x0000000005242000-memory.dmp

Filesize
8KB

Download
memory/2880-470-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-472-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-474-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-464-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-451-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-972-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-441-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-466-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-22-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/2880-455-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-14-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-459-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-461-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-462-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download