cerber | 27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

Analysis

max time kernel
133s
max time network
134s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Size

186KB
MD5

8ec363843a850f67ebad036bb4d18efd
SHA1

ac856eb04ca1665b10bed5a1757f193ff56aca02
SHA256

27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8
SHA512

800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684
SSDEEP

3072:TFFzdn1bwoWwW8BplOd4G5ts0RTy/L1yib5icNisjx3jUiXy:TFFzvwoWw3BXOdl5Ts1yw0s13jU5

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.zmvirj.top/0FD1-47C7-1508-029E-DC22 | | 2. http://cerberhhyed5frqa.qor499.top/0FD1-47C7-1508-029E-DC22 | | 3. http://cerberhhyed5frqa.gkfit9.win/0FD1-47C7-1508-029E-DC22 | | 4. http://cerberhhyed5frqa.305iot.win/0FD1-47C7-1508-029E-DC22 | | 5. http://cerberhhyed5frqa.dkrti5.win/0FD1-47C7-1508-029E-DC22 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/0FD1-47C7-1508-029E-DC22); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.zmvirj.top/0FD1-47C7-1508-029E-DC22 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/0FD1-47C7-1508-029E-DC22); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/0FD1-47C7-1508-029E-DC22 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.zmvirj.top/0FD1-47C7-1508-029E-DC22

http://cerberhhyed5frqa.qor499.top/0FD1-47C7-1508-029E-DC22

http://cerberhhyed5frqa.gkfit9.win/0FD1-47C7-1508-029E-DC22

http://cerberhhyed5frqa.305iot.win/0FD1-47C7-1508-029E-DC22

http://cerberhhyed5frqa.dkrti5.win/0FD1-47C7-1508-029E-DC22

http://cerberhhyed5frqa.onion/0FD1-47C7-1508-029E-DC22

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.zmvirj.top/0FD1-47C7-1508-029E-DC22" target="_blank">http://cerberhhyed5frqa.zmvirj.top/0FD1-47C7-1508-029E-DC22</a></li> <li><a href="http://cerberhhyed5frqa.qor499.top/0FD1-47C7-1508-029E-DC22" target="_blank">http://cerberhhyed5frqa.qor499.top/0FD1-47C7-1508-029E-DC22</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/0FD1-47C7-1508-029E-DC22" target="_blank">http://cerberhhyed5frqa.gkfit9.win/0FD1-47C7-1508-029E-DC22</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/0FD1-47C7-1508-029E-DC22" target="_blank">http://cerberhhyed5frqa.305iot.win/0FD1-47C7-1508-029E-DC22</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/0FD1-47C7-1508-029E-DC22" target="_blank">http://cerberhhyed5frqa.dkrti5.win/0FD1-47C7-1508-029E-DC22</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/0FD1-47C7-1508-029E-DC22" target="_blank">http://cerberhhyed5frqa.zmvirj.top/0FD1-47C7-1508-029E-DC22</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.zmvirj.top/0FD1-47C7-1508-029E-DC22" target="_blank">http://cerberhhyed5frqa.zmvirj.top/0FD1-47C7-1508-029E-DC22</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/0FD1-47C7-1508-029E-DC22" target="_blank">http://cerberhhyed5frqa.zmvirj.top/0FD1-47C7-1508-029E-DC22</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/0FD1-47C7-1508-029E-DC22 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16390) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\fixmapi.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\fixmapi.exe\""	fixmapi.exe

Deletes itself 1 IoCs

pid	Process
2924	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\fixmapi.lnk	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\fixmapi.lnk	fixmapi.exe

Executes dropped EXE 2 IoCs

pid	Process
2912	fixmapi.exe
1444	fixmapi.exe

Loads dropped DLL 2 IoCs

pid	Process
2080	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
2912	fixmapi.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\fixmapi = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\fixmapi.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\fixmapi = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\fixmapi.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\fixmapi = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\fixmapi.exe\""	fixmapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\fixmapi = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\fixmapi.exe\""	fixmapi.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fixmapi.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp3784.bmp"	fixmapi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
656	taskkill.exe
3004	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\fixmapi.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop	fixmapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\fixmapi.exe\""	fixmapi.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e93610000000002000000000010660000000100002000000085b1e5949ee1983167818deb4bb5cfa790f3ac1411263289feca5d34dfc02d87000000000e8000000002000020000000d36b28d7d77541d6482fd0194046a9e30ba59d4322688ff384928bacaaf05ee62000000027cba6a4fd252f26d69eed352c93f1fc473f75e09ad3502aa27a4c466e8ef1bb40000000b757d9cf74abf186d5fc59bd3af282552efe43dc346f2a4c2182742e5346dd9bf1073bd9dba4734a1229b0cceb0f777a687a286fee6f71308ffa480e5a5cb6d4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000f7b0c4fa20179252db9c6754d07d5897fb10b3c0f314cd5ebb8f0f23c8132515000000000e80000000020000200000001e9fdc1bcf824e6ecc73d42cd8041b071a916d0f1eded7affd97fe9aa7755ade9000000092e5602bb7e6ffd48b3aff727f7b903820b06f628b920f996d9cc382595d7722bd5c2c5e91bb7aeaa63472e0e18270b87181acccfa13402f5ff158fcd7f9090aff1b77d2cfa3b5bffdfbe212794ce0c6a2f9d697bf7b8b95a48d9bdf6083d8fbb33c31e71094eaab9984bf4f20ed3e461ad7b5037f5482e76553291b4540df26aa75607422ca3cbd85ed0268e74870be40000000336ed9a7ae1bd55831e70e7e446ae8af5e9e7db8f9d93e316a5e8001ebcbc77454f7f1cb172684410bb0547428b99a523a95d720eb565ac6c0fa134ab8ebf31c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7F764901-20E6-11EF-9DB4-7A4B76010719} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423497849"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7F849141-20E6-11EF-9DB4-7A4B76010719} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0491143f3b4da01	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2772	PING.EXE
1516	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe
2912	fixmapi.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Token: SeDebugPrivilege	2912	fixmapi.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	1444	fixmapi.exe
Token: SeDebugPrivilege	656	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
280	iexplore.exe
928	iexplore.exe
280	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
280	iexplore.exe
280	iexplore.exe
928	iexplore.exe
928	iexplore.exe
280	iexplore.exe
280	iexplore.exe
556	IEXPLORE.EXE
556	IEXPLORE.EXE
2096	IEXPLORE.EXE
2096	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
2080	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
2912	fixmapi.exe
1444	fixmapi.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2912	2080	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2080 wrote to memory of 2912	2080	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2080 wrote to memory of 2912	2080	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2080 wrote to memory of 2912	2080	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2080 wrote to memory of 2924	2080	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2080 wrote to memory of 2924	2080	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2080 wrote to memory of 2924	2080	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2080 wrote to memory of 2924	2080	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2924 wrote to memory of 3004	2924	cmd.exe	31
PID 2924 wrote to memory of 3004	2924	cmd.exe	31
PID 2924 wrote to memory of 3004	2924	cmd.exe	31
PID 2924 wrote to memory of 3004	2924	cmd.exe	31
PID 2924 wrote to memory of 2772	2924	cmd.exe	33
PID 2924 wrote to memory of 2772	2924	cmd.exe	33
PID 2924 wrote to memory of 2772	2924	cmd.exe	33
PID 2924 wrote to memory of 2772	2924	cmd.exe	33
PID 1724 wrote to memory of 1444	1724	taskeng.exe	38
PID 1724 wrote to memory of 1444	1724	taskeng.exe	38
PID 1724 wrote to memory of 1444	1724	taskeng.exe	38
PID 1724 wrote to memory of 1444	1724	taskeng.exe	38
PID 2912 wrote to memory of 280	2912	fixmapi.exe	39
PID 2912 wrote to memory of 280	2912	fixmapi.exe	39
PID 2912 wrote to memory of 280	2912	fixmapi.exe	39
PID 2912 wrote to memory of 280	2912	fixmapi.exe	39
PID 2912 wrote to memory of 1824	2912	fixmapi.exe	40
PID 2912 wrote to memory of 1824	2912	fixmapi.exe	40
PID 2912 wrote to memory of 1824	2912	fixmapi.exe	40
PID 2912 wrote to memory of 1824	2912	fixmapi.exe	40
PID 280 wrote to memory of 556	280	iexplore.exe	41
PID 280 wrote to memory of 556	280	iexplore.exe	41
PID 280 wrote to memory of 556	280	iexplore.exe	41
PID 280 wrote to memory of 556	280	iexplore.exe	41
PID 928 wrote to memory of 2096	928	iexplore.exe	43
PID 928 wrote to memory of 2096	928	iexplore.exe	43
PID 928 wrote to memory of 2096	928	iexplore.exe	43
PID 928 wrote to memory of 2096	928	iexplore.exe	43
PID 280 wrote to memory of 2040	280	iexplore.exe	44
PID 280 wrote to memory of 2040	280	iexplore.exe	44
PID 280 wrote to memory of 2040	280	iexplore.exe	44
PID 280 wrote to memory of 2040	280	iexplore.exe	44
PID 2912 wrote to memory of 2760	2912	fixmapi.exe	45
PID 2912 wrote to memory of 2760	2912	fixmapi.exe	45
PID 2912 wrote to memory of 2760	2912	fixmapi.exe	45
PID 2912 wrote to memory of 2760	2912	fixmapi.exe	45
PID 2912 wrote to memory of 1032	2912	fixmapi.exe	48
PID 2912 wrote to memory of 1032	2912	fixmapi.exe	48
PID 2912 wrote to memory of 1032	2912	fixmapi.exe	48
PID 2912 wrote to memory of 1032	2912	fixmapi.exe	48
PID 1032 wrote to memory of 656	1032	cmd.exe	50
PID 1032 wrote to memory of 656	1032	cmd.exe	50
PID 1032 wrote to memory of 656	1032	cmd.exe	50
PID 1032 wrote to memory of 1516	1032	cmd.exe	51
PID 1032 wrote to memory of 1516	1032	cmd.exe	51
PID 1032 wrote to memory of 1516	1032	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\fixmapi.exe
  "C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\fixmapi.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:280
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:280 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:556
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:280 CREDAT:668673 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2040
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:1824
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:2760
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "fixmapi.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\fixmapi.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "fixmapi.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:656
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1516
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2772

C:\Windows\system32\taskeng.exe
taskeng.exe {52124397-795C-4017-98E8-898322AA5F10} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\fixmapi.exe
  C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\fixmapi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:1444

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:928
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:928 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2096

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
ff068ed0d0c7bd06d8cebd34ebc0186d

SHA1
503fe3cc85e993690c6d2263ab5faadb6d8adf83

SHA256
caf07bed729d6043fd985e02c26a0b5c74835c579cd5344e54d3dedf03b7e68b

SHA512
f4a8c23ec94cba784388732207298823aec9109b2b41af2e1d79723229fdcf89a20421905d0bb2b5b95acb6f9efbc3874fbf5c83b87c5d08cfc87bc90b73d49a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
7fbc3536afe719f6b7150b99754b33ca

SHA1
64dfd06de3069e2e6574867facd97be28d7060ea

SHA256
6eba2e72088befc121f1d5f1ed897a8bb21ead4d679c4335ba3fdbf4ba08230d

SHA512
0bcc60a87d35db9dea93a9304955742c255b6d1214a3b9cbe38748b6ceff2fd696033c6e720463d101d3a3aae43bec5fbab32b83e31c6d4359125acdc39d0b65

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
85B

MD5
2d829b3b9e97b9f798d080f50091bbea

SHA1
d7a0ed7dee1557164cc089f3fcf755d73789fd2a

SHA256
4950e218720d17aca467c7e86462d3f3752d37968c3f7c5ad85cec564ef929ac

SHA512
39d229769e98d857d531ab4bca837d763d7e25dc612224a451980d7a478f44fc88ce7c8eb04b9ae3064a37682bb04eedf9e3d0e874c023c868a34617d4442e9d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
225B

MD5
f6d629f2a4c0815f005230185bd892fe

SHA1
1572070cf8773883a6fd5f5d1eb51ec724bbf708

SHA256
ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f

SHA512
b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f9c38eadc9afb584cb1305f28e9471d

SHA1
28553d853aa58400721a8753a41e99a551e3ab54

SHA256
14e787e674acf57c4b8ed4a2a61b9e5df7e52fb6f4a08954875bcabc06d0ca1e

SHA512
5a13969c90d316f0e6be60ec366f775326858a9c5df6402a88684c0fe2f6f19e186272376ee44916307645220730b952943ea16bbceae93d1ff895b17d3a2a9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfb377514633ca19ed2c66e4772f49c2

SHA1
bb7fcf6a4680bfe523c74b95cc8490adba869113

SHA256
2972c9ba769ef98c9b18882014350295e37f9f43b412c2ce2459f4cd09dbc3b1

SHA512
fe3e422de27d9a5b9573a481fa815060605cdcf8717dfdd9a1533bcb9e4672e1c333e56a70d3f40267f49f4783530971cdbb0ddf93c840e72e5d1d70479ea96f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7abe5e12eed6eb5a1e2ebbdedea57d32

SHA1
c0f751bb0e3ab8c2de1d64879f5584c0877375bc

SHA256
47821e1019ca1e0b72d22d0b0fce26104cbcaa832ede4ac4faa670f1a72557af

SHA512
9fa520af75d877bc7fef77cc1063f7ab29bf16d699c9c5598688220e33f3741b288edf60ce64d0c851ec473e6bf7063d1f914e8b8a722a0fde931cecfecfbea8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3995c2e37090972a2043da49b1f0ec9

SHA1
2082bc69c44b2b43ebe151bc43b31c285527fb76

SHA256
9d0ad261eabe1cfc50003681b085935705706290a85c7e9c4a53226834a5a22c

SHA512
35e153acc8de720d4d6129e5a0da873d830726097175ef7052e9fc2af8c6b8682afec9398124e7db453906644445c9e3356013755a3d0183b314649750e08784

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e6e0f60d7c857a7ebbc30ee0200f92f

SHA1
7bd32eb827c0424eff2a6c8bcd8b32d43505c16b

SHA256
0dbc6ebc0393d171d9a75ebb7d30288a78cde9967b86f303c1eb3aa0310ffe15

SHA512
a5996c1461a14a01df4d38024a3186ec85f58a9b271ee62817681884f4b5dea9ad441368a07d13a0a45f58c54b2a123da07f54a39cd0811a634a166eae519701

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58f73a43f2738c51fcd4dd68248e210b

SHA1
048127de44ffc9d48f527ec8db5514716352d3da

SHA256
1ac6354b69eaf3794724d761c428b0b2b3bff5b5320ac4854972a6230c060844

SHA512
af8e4f67e7a98a964cb019b30de2be01e85bcdd7d29ebe896cd2d4df71c7915ceb6e4c759b053a0a8be22cb4cbec1c358c4f29b4d7af3b41fa3bc363c06ff1de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab39e49d5bef6bd23981e55bc04242c3

SHA1
fb6547b465f6a5cc251bdb7f94c397e0ca3f915d

SHA256
8093a3b25e78673e819b0a90e2ac9bc5749b25ad63f8eca58287982da9686c93

SHA512
4f7ad5f8bc8f8afc36c57e7ba1f642ad174d581cbefad74c592c5840574fbdaef4ceb4e82d5828f19173e6ceaafa2f5728b780f6ec4c6e53164387188fca526e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abf9b1ba70780b599b1b69e282a0de20

SHA1
1f148944aa0cbe44eb760758c574bbf5c8422f1b

SHA256
297f99eee482cbbe54b604eb55768e5dc92d3a75149937d32ca8417094e77e37

SHA512
05ab0a9d0a66cd089f9f6a6332e57289ebf607efc1fea5f6881bac3e4d9aff27f6addb2e3db17e72cb457547f90be4192f8ccaf8265733628d9d3fcce1578d8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cbe827a3f57daf4c81196517617512f

SHA1
9af1fa2fc2d2ab1d710c1064af17ed33e8237be8

SHA256
edef5171419b89506de641d994e364bc8b9e0f6a8bece8877e12fdaacef36aff

SHA512
3aea4e30e08f3979e599961c55ba4fe0680fac2cf663b018cb378d6f2098a7625a39a609f0a61524c3675f874bd52c5d37387f9c9fff9c31f8aa232480d86685

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4cb02235aad9a38f4652108f50f9bfb

SHA1
b58524eeb09c2fa89e2e135b2720c66d67f9a443

SHA256
44487f92873af2c8d1845becf7d497fb915b4eda3889f0396ae16171101375a2

SHA512
4f354ae215078ee1f02992bc003def35242e768d716add5f65037a4b8a0d428102c86a02103d2b4da0edbf46fb831e8c2fbb8dc5babe3fea2a22e3d5256fd387

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbd951c7ab8fc0f278e913c4b0f74e1d

SHA1
55b3452c78390c3b95f774dcba00c62e22b097a0

SHA256
179768b6f88c51ea2545ab6f6086282ace94ecf7fc4633109df00c55dfde46a8

SHA512
8d9f7f545a5f9de7ea7df30e25cbe0b745050d695d4c15ac4bdace0e585c8079818ef65d16438f5b2e23bd4d3f849228ad49706428858568773825190aa0ac77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53c56a377b18bd44938b76a15c0062d9

SHA1
579b096f557580dcc17394a373d31499a8b2925b

SHA256
b723d524a74963e5cf0503b991f50d863e8c00e1a16b9891cc02aedc4f11346d

SHA512
7c1d6bd16a84fc01e34873adeba86b89c8a2b63192064d80765b183d0dc4f0449e848328d98baafe347ec18a4b057ccb01813b70f9390354a88074f32c776c20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
896734e515743a8d08d80d1e270ba288

SHA1
3bc4442ad9c680f817626f1e4c7f0a5b367f4cf1

SHA256
aaa0ad1ddffae7805df914b00a8c070919458439c308057e0d11e8ac7a782a59

SHA512
d62e9414bfd3f57ce8ff87796e01d28cc61b083ebe9bda821ce6cf4a1884adfa356b248b024dc332b2b32fc112bbf785363ade34065ee257abc712e13d099480

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f74e97e87defaeb38aac75bd9436150

SHA1
bb9865c39a96a3305569b29aaa4bc9f8b06d7e84

SHA256
4ae617042f5f214daaca9d4517856895691337ba245bccf4322e776cd4d0c399

SHA512
8944f8daa4e9c1260632917b322cfa6c3aac0fb47f66038c7484fb538c107f523ad309572c501b6e87e75e52445fc7f61a7d94b994bf285b0902d7e96c392a34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c858d44f288600041672001b78c185f

SHA1
3d0ed38f62cf2bd9d90c64c7e3bfc82c12d3b995

SHA256
fb07620ae24eed6f5582649afcf1a22ed03bcb5afa7f912fd9118707d00e2c5b

SHA512
3d20956935c88b0e2db8995f13984334012332758d6bbae48d1f64b3e1b8e33706fa8841eb1d56cd612964aaea53041a056144ad779f6987734a3fba9ea0eefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7350af07bbeb2e13bc868b71cd825ab1

SHA1
1c6d614a14dfe2e3bd4fddc37e8442d7523c18d7

SHA256
b946441eaa5cace08ca77e21269db98566847f4b1ade4e1adcb425aabfaade97

SHA512
48c74e3cab7f1289d5ddafcc863ec90b3b1581b0253d47993cc1d2e842bcfe3d9883cc4438369479fd58fc48b4c83a62530d9054fa809fd1633e107ceb72e5b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ad7017954645f138a44e746cd53563a

SHA1
e2300f944df01155b659e0056e09df9f6be83b36

SHA256
356e7f5de7519ff0c22fe462d6be0afc789323ae0eaf02f4425f8d167cd038a1

SHA512
01c031fffd8bbcf677da03a7e4cbb231c1b26576ce39742e4638ff400765d27311a3d2790f1f5feeb989c413cc66bb19f5205f314af7d9580b8c97f8f917aa9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
522b1efe1c930096380f52d49cf3eb80

SHA1
eb1eef6ed093170c50b7ffc4ea9e49d6a80902ce

SHA256
aa915251f952b34aaccf66f346b7449124c1c2c5f8425697e8791e7e517efa1d

SHA512
5fc135f379e9b1fb553fa83df6273fd46a3d66a49c804de1350bb5bc7a070a5cb20af4d0abed45cd4e8c2b2ab699a456322da42273e2e3006cd81f665db5377d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf771f1a73dc7c650c75770ae02b8e1b

SHA1
845751851fa447e05383241a9a1ade934e07b4c6

SHA256
eacbb0afc83e29012efcdde29eb2318a7fb30b06070306a288c5b3ff4363c8bc

SHA512
951a1024ae11a99f73264f7a4c2fc16a7927fa0c2eb7f8d5517d2045373eaacfad9de7da6ff1d8f411931144f23867a30923428a024b80985a2bf54f208afbf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7F764901-20E6-11EF-9DB4-7A4B76010719}.dat

Filesize
5KB

MD5
42d2497d32849358ee2154c0e9514a81

SHA1
5de731c645e7db252e5e160274d3d5ac8eb64efb

SHA256
c3a64f398037ccc912a7b56660b5060b2fac113bf458c99285b0c890887457e7

SHA512
651e1f24389098fc15f8c0b2c36fe675bdb5d726f4b3a62efa7dd2d74fdd3b82b9ea8b0ae2a5c20b7cc40bf658c5683cac4d8b2c04383030a6ae29e46b73c890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7F849141-20E6-11EF-9DB4-7A4B76010719}.dat

Filesize
3KB

MD5
a2224caf91865585c8915fba2be68e56

SHA1
378017ef9054380813207795a0d3950ca52f59dc

SHA256
afbba27bc932f0b1f1cf78cb524a598ec9634fde2f9ab1d266d253df66b11392

SHA512
8651513d5173a02d0597c30629c4c9ea39a345958089d304f0caded65b0546b41b8f47c5218a04065c3a3d6eec17d3b6979c5e7bc13e5b679bc3731152c218c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4EEE.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4F72.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\fixmapi.lnk

Filesize
1KB

MD5
7a399f7d4a244388bcd761e4460e8fc4

SHA1
bcedcbedcc496a40c702f282d7039a1ee01f0e9d

SHA256
fa4a1908521a8db88d7bbd11682830038ab93da55b2237fa645c0d2588e8a957

SHA512
420b64b02b3a21585a439a1c4304ef3f95b7e33bbf4d5edbd3a35e0ca04133754219b231394b817602d34f83dede00b91039fb2d400c6ce0d50bf76879357d42

Download Submit
\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\fixmapi.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
memory/1444-24-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1444-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2080-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2080-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2080-0-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2080-1-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-28-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-499-0x0000000005050000-0x0000000005052000-memory.dmp

Filesize
8KB

Download
memory/2912-466-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-469-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-471-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-474-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-477-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-479-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-481-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-484-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-487-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-464-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-446-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-448-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-986-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-985-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-450-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-442-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-444-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-27-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2912-19-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/2912-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-11-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download