cerber | db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa

Analysis

max time kernel
126s
max time network
130s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_270b70bad151a515136f553e5bc880ac.exe
Size

344KB
MD5

270b70bad151a515136f553e5bc880ac
SHA1

77b7def336c7647c6faadaf7136d70ff1e9ba7fc
SHA256

db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa
SHA512

c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f
SSDEEP

3072:v5sAzvcjE+lcO3zXgKRcP66BpwwB9RStc3Yfqr:v5jvc4+lcO3zQKSPfBJXv3YM

Score

10^/10

cerber defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.vmfu48.win/8572-1CB9-2565-0073-14DE | | 2. http://cerberhhyed5frqa.45tori.win/8572-1CB9-2565-0073-14DE | | 3. http://cerberhhyed5frqa.fkr84i.win/8572-1CB9-2565-0073-14DE | | 4. http://cerberhhyed5frqa.fkri48.win/8572-1CB9-2565-0073-14DE | | 5. http://cerberhhyed5frqa.djre89.win/8572-1CB9-2565-0073-14DE |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.vmfu48.win/8572-1CB9-2565-0073-14DE); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.vmfu48.win/8572-1CB9-2565-0073-14DE appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.vmfu48.win/8572-1CB9-2565-0073-14DE); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/8572-1CB9-2565-0073-14DE | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.vmfu48.win/8572-1CB9-2565-0073-14DE

http://cerberhhyed5frqa.45tori.win/8572-1CB9-2565-0073-14DE

http://cerberhhyed5frqa.fkr84i.win/8572-1CB9-2565-0073-14DE

http://cerberhhyed5frqa.fkri48.win/8572-1CB9-2565-0073-14DE

http://cerberhhyed5frqa.djre89.win/8572-1CB9-2565-0073-14DE

http://cerberhhyed5frqa.onion/8572-1CB9-2565-0073-14DE

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.vmfu48.win/8572-1CB9-2565-0073-14DE" target="_blank">http://cerberhhyed5frqa.vmfu48.win/8572-1CB9-2565-0073-14DE</a></li> <li><a href="http://cerberhhyed5frqa.45tori.win/8572-1CB9-2565-0073-14DE" target="_blank">http://cerberhhyed5frqa.45tori.win/8572-1CB9-2565-0073-14DE</a></li> <li><a href="http://cerberhhyed5frqa.fkr84i.win/8572-1CB9-2565-0073-14DE" target="_blank">http://cerberhhyed5frqa.fkr84i.win/8572-1CB9-2565-0073-14DE</a></li> <li><a href="http://cerberhhyed5frqa.fkri48.win/8572-1CB9-2565-0073-14DE" target="_blank">http://cerberhhyed5frqa.fkri48.win/8572-1CB9-2565-0073-14DE</a></li> <li><a href="http://cerberhhyed5frqa.djre89.win/8572-1CB9-2565-0073-14DE" target="_blank">http://cerberhhyed5frqa.djre89.win/8572-1CB9-2565-0073-14DE</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.vmfu48.win/8572-1CB9-2565-0073-14DE" target="_blank">http://cerberhhyed5frqa.vmfu48.win/8572-1CB9-2565-0073-14DE</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.vmfu48.win/8572-1CB9-2565-0073-14DE" target="_blank">http://cerberhhyed5frqa.vmfu48.win/8572-1CB9-2565-0073-14DE</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.vmfu48.win/8572-1CB9-2565-0073-14DE" target="_blank">http://cerberhhyed5frqa.vmfu48.win/8572-1CB9-2565-0073-14DE</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/8572-1CB9-2565-0073-14DE in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16389) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1972	bcdedit.exe
272	bcdedit.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\TapiUnattend.exe\""	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\TapiUnattend.exe\""	TapiUnattend.exe

Deletes itself 1 IoCs

pid	Process
2652	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\TapiUnattend.lnk	VirusShare_270b70bad151a515136f553e5bc880ac.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\TapiUnattend.lnk	TapiUnattend.exe

Executes dropped EXE 1 IoCs

pid	Process
1540	TapiUnattend.exe

Loads dropped DLL 3 IoCs

pid	Process
2408	VirusShare_270b70bad151a515136f553e5bc880ac.exe
2408	VirusShare_270b70bad151a515136f553e5bc880ac.exe
1540	TapiUnattend.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\TapiUnattend = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\TapiUnattend.exe\""	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\TapiUnattend = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\TapiUnattend.exe\""	TapiUnattend.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\TapiUnattend = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\TapiUnattend.exe\""	TapiUnattend.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\TapiUnattend = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\TapiUnattend.exe\""	VirusShare_270b70bad151a515136f553e5bc880ac.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TapiUnattend.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp177.bmp"	TapiUnattend.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2700	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2484	taskkill.exe
2232	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\TapiUnattend.exe\""	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop	TapiUnattend.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\TapiUnattend.exe\""	TapiUnattend.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423497119"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a097b68ef1b4da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CBFCCF31-20E4-11EF-AF73-469E18234AA3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004eea84998bdfd949a2d93396a902e8f7000000000200000000001066000000010000200000003eca5c933666edbd971b30f1da727b167bfef1bbf66e9c0cfbfeaa62db081022000000000e8000000002000020000000695f2f303f55f226ffd04c535dd3a8383a3c25f09765e6429b7d8b44a0f0a2bb20000000c0e701e2fbeea6c75e6ea48167a4e6091a9442933de06b5d75ef1d4cce6c5a0d40000000c1e42711145d1e1d2f932bee5c0ea4ae5aef5b4beacf32556732a956cc2bd937767f8338c9be3be65297183192555a7fc591a0969aae7627b56ff7d02890c3fb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CC08B611-20E4-11EF-AF73-469E18234AA3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004eea84998bdfd949a2d93396a902e8f700000000020000000000106600000001000020000000d0ca56e414593bf6626bb7805903c7dbccbda1cbefde15fd25faa028902f4271000000000e8000000002000020000000815e584a1d068bd335fc2515bd004f54295ab00724f608c0d43369ada4f6a0fc900000001f99d8bb547b9cd6a3d8cf8baa981da8e0c5f2340746f8e6c9832f79c80baaca05cbc2cb7e1eea9b3b49a8d96db9740e657cb4f18a18b2249ae09f3e19c17d5d2db9dd147498bd2c6a6f8b8df7f0546abe4d1dcb75d6ed9a995e6a1b2e28cca9e1d0e0e5d55b25151d8ee246bd8d2237764686830240eb52988bb708cde35c925e3daf5b564b55ce19ef33c5a859d182400000006b0058114134a37b32526b6f5743d2316946580f917d140391a05c8808f4c1e080a803b83ca2ef26120104bd5c6283a8a4ad119d2e5b160977b0821f1a96313f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2920	PING.EXE
1488	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe
1540	TapiUnattend.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Token: SeDebugPrivilege	1540	TapiUnattend.exe
Token: SeBackupPrivilege	1808	vssvc.exe
Token: SeRestorePrivilege	1808	vssvc.exe
Token: SeAuditPrivilege	1808	vssvc.exe
Token: SeDebugPrivilege	2484	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1132	wmic.exe
Token: SeSecurityPrivilege	1132	wmic.exe
Token: SeTakeOwnershipPrivilege	1132	wmic.exe
Token: SeLoadDriverPrivilege	1132	wmic.exe
Token: SeSystemProfilePrivilege	1132	wmic.exe
Token: SeSystemtimePrivilege	1132	wmic.exe
Token: SeProfSingleProcessPrivilege	1132	wmic.exe
Token: SeIncBasePriorityPrivilege	1132	wmic.exe
Token: SeCreatePagefilePrivilege	1132	wmic.exe
Token: SeBackupPrivilege	1132	wmic.exe
Token: SeRestorePrivilege	1132	wmic.exe
Token: SeShutdownPrivilege	1132	wmic.exe
Token: SeDebugPrivilege	1132	wmic.exe
Token: SeSystemEnvironmentPrivilege	1132	wmic.exe
Token: SeRemoteShutdownPrivilege	1132	wmic.exe
Token: SeUndockPrivilege	1132	wmic.exe
Token: SeManageVolumePrivilege	1132	wmic.exe
Token: 33	1132	wmic.exe
Token: 34	1132	wmic.exe
Token: 35	1132	wmic.exe
Token: SeIncreaseQuotaPrivilege	1132	wmic.exe
Token: SeSecurityPrivilege	1132	wmic.exe
Token: SeTakeOwnershipPrivilege	1132	wmic.exe
Token: SeLoadDriverPrivilege	1132	wmic.exe
Token: SeSystemProfilePrivilege	1132	wmic.exe
Token: SeSystemtimePrivilege	1132	wmic.exe
Token: SeProfSingleProcessPrivilege	1132	wmic.exe
Token: SeIncBasePriorityPrivilege	1132	wmic.exe
Token: SeCreatePagefilePrivilege	1132	wmic.exe
Token: SeBackupPrivilege	1132	wmic.exe
Token: SeRestorePrivilege	1132	wmic.exe
Token: SeShutdownPrivilege	1132	wmic.exe
Token: SeDebugPrivilege	1132	wmic.exe
Token: SeSystemEnvironmentPrivilege	1132	wmic.exe
Token: SeRemoteShutdownPrivilege	1132	wmic.exe
Token: SeUndockPrivilege	1132	wmic.exe
Token: SeManageVolumePrivilege	1132	wmic.exe
Token: 33	1132	wmic.exe
Token: 34	1132	wmic.exe
Token: 35	1132	wmic.exe
Token: SeDebugPrivilege	2232	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3004	iexplore.exe
2180	iexplore.exe
3004	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3004	iexplore.exe
3004	iexplore.exe
3004	iexplore.exe
3004	iexplore.exe
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE
2180	iexplore.exe
2180	iexplore.exe
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2408	VirusShare_270b70bad151a515136f553e5bc880ac.exe
1540	TapiUnattend.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1540	2408	VirusShare_270b70bad151a515136f553e5bc880ac.exe	28
PID 2408 wrote to memory of 1540	2408	VirusShare_270b70bad151a515136f553e5bc880ac.exe	28
PID 2408 wrote to memory of 1540	2408	VirusShare_270b70bad151a515136f553e5bc880ac.exe	28
PID 2408 wrote to memory of 1540	2408	VirusShare_270b70bad151a515136f553e5bc880ac.exe	28
PID 1540 wrote to memory of 2700	1540	TapiUnattend.exe	29
PID 1540 wrote to memory of 2700	1540	TapiUnattend.exe	29
PID 1540 wrote to memory of 2700	1540	TapiUnattend.exe	29
PID 1540 wrote to memory of 2700	1540	TapiUnattend.exe	29
PID 2408 wrote to memory of 2652	2408	VirusShare_270b70bad151a515136f553e5bc880ac.exe	31
PID 2408 wrote to memory of 2652	2408	VirusShare_270b70bad151a515136f553e5bc880ac.exe	31
PID 2408 wrote to memory of 2652	2408	VirusShare_270b70bad151a515136f553e5bc880ac.exe	31
PID 2408 wrote to memory of 2652	2408	VirusShare_270b70bad151a515136f553e5bc880ac.exe	31
PID 2652 wrote to memory of 2484	2652	cmd.exe	34
PID 2652 wrote to memory of 2484	2652	cmd.exe	34
PID 2652 wrote to memory of 2484	2652	cmd.exe	34
PID 2652 wrote to memory of 2484	2652	cmd.exe	34
PID 2652 wrote to memory of 2920	2652	cmd.exe	37
PID 2652 wrote to memory of 2920	2652	cmd.exe	37
PID 2652 wrote to memory of 2920	2652	cmd.exe	37
PID 2652 wrote to memory of 2920	2652	cmd.exe	37
PID 1540 wrote to memory of 1132	1540	TapiUnattend.exe	38
PID 1540 wrote to memory of 1132	1540	TapiUnattend.exe	38
PID 1540 wrote to memory of 1132	1540	TapiUnattend.exe	38
PID 1540 wrote to memory of 1132	1540	TapiUnattend.exe	38
PID 1540 wrote to memory of 1972	1540	TapiUnattend.exe	40
PID 1540 wrote to memory of 1972	1540	TapiUnattend.exe	40
PID 1540 wrote to memory of 1972	1540	TapiUnattend.exe	40
PID 1540 wrote to memory of 1972	1540	TapiUnattend.exe	40
PID 1540 wrote to memory of 272	1540	TapiUnattend.exe	42
PID 1540 wrote to memory of 272	1540	TapiUnattend.exe	42
PID 1540 wrote to memory of 272	1540	TapiUnattend.exe	42
PID 1540 wrote to memory of 272	1540	TapiUnattend.exe	42
PID 1540 wrote to memory of 3004	1540	TapiUnattend.exe	47
PID 1540 wrote to memory of 3004	1540	TapiUnattend.exe	47
PID 1540 wrote to memory of 3004	1540	TapiUnattend.exe	47
PID 1540 wrote to memory of 3004	1540	TapiUnattend.exe	47
PID 1540 wrote to memory of 2856	1540	TapiUnattend.exe	48
PID 1540 wrote to memory of 2856	1540	TapiUnattend.exe	48
PID 1540 wrote to memory of 2856	1540	TapiUnattend.exe	48
PID 1540 wrote to memory of 2856	1540	TapiUnattend.exe	48
PID 3004 wrote to memory of 2200	3004	iexplore.exe	50
PID 3004 wrote to memory of 2200	3004	iexplore.exe	50
PID 3004 wrote to memory of 2200	3004	iexplore.exe	50
PID 3004 wrote to memory of 2200	3004	iexplore.exe	50
PID 2180 wrote to memory of 2952	2180	iexplore.exe	51
PID 2180 wrote to memory of 2952	2180	iexplore.exe	51
PID 2180 wrote to memory of 2952	2180	iexplore.exe	51
PID 2180 wrote to memory of 2952	2180	iexplore.exe	51
PID 3004 wrote to memory of 2680	3004	iexplore.exe	52
PID 3004 wrote to memory of 2680	3004	iexplore.exe	52
PID 3004 wrote to memory of 2680	3004	iexplore.exe	52
PID 3004 wrote to memory of 2680	3004	iexplore.exe	52
PID 1540 wrote to memory of 212	1540	TapiUnattend.exe	53
PID 1540 wrote to memory of 212	1540	TapiUnattend.exe	53
PID 1540 wrote to memory of 212	1540	TapiUnattend.exe	53
PID 1540 wrote to memory of 212	1540	TapiUnattend.exe	53
PID 1540 wrote to memory of 1044	1540	TapiUnattend.exe	56
PID 1540 wrote to memory of 1044	1540	TapiUnattend.exe	56
PID 1540 wrote to memory of 1044	1540	TapiUnattend.exe	56
PID 1540 wrote to memory of 1044	1540	TapiUnattend.exe	56
PID 1044 wrote to memory of 2232	1044	cmd.exe	58
PID 1044 wrote to memory of 2232	1044	cmd.exe	58
PID 1044 wrote to memory of 2232	1044	cmd.exe	58
PID 1044 wrote to memory of 1488	1044	cmd.exe	60

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_270b70bad151a515136f553e5bc880ac.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_270b70bad151a515136f553e5bc880ac.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\TapiUnattend.exe
  "C:\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\TapiUnattend.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\system32\vssadmin.exe
    "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2700
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1132
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1972
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:272
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2200
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:275458 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2680
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:2856
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:212
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "TapiUnattend.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\TapiUnattend.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "TapiUnattend.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2232
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1488
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_270b70bad151a515136f553e5bc880ac.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_270b70bad151a515136f553e5bc880ac.exe" > NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_270b70bad151a515136f553e5bc880ac.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2180 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2952

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
c50b79fd595a3bde92e9dac7506f2aa5

SHA1
b7b04349e5f1db6a5fb4f2f083d7b5be01d6c12a

SHA256
c28ff981e27e6fe5b9acdef4edb2d1d0edeabc3b8b6f3d715dfd8e3d03ebdbd6

SHA512
e7fbb748c1ef7eaac7f4dd91a68b549f3d4037c1827c70f58a394cea81544714e1dff89bb9983b195bcadd5ff9eb190ec3a0f2ceef14d9cd416c721727bf9236

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
2cbd98c8993bf70846f95b63cc277527

SHA1
feaaaeffdb9c06d29ca3c5b490f0ed5eed838120

SHA256
f280f05a9ce5df3ba4af35b46a1a9b6029f020a976db265bee56d896c36384ac

SHA512
db8e2815462daf614bfd8f310962d00c19284c7e70441e5f38a4dcd1807d7fe01ab81e9dd047a1a4b65ce72ab05a72b4ba743ea98b70450c1b6db90282104b69

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
85B

MD5
e40017dc7d99eb7a16860166184c8677

SHA1
2b1b12ce0a93b9f0cae5cf9fb39e984b5cf63152

SHA256
986df76c639a4b9306bdb2b9fd35c822b34a2bbec836fce56289a3ae71b8aeba

SHA512
d1e85a25af9441fdfbf9dcef5960ef32ef6234df433afdae4cb41dbc9482a846575b4162a5c6f498c5170bb9fcd206061a9eb414cded68b21834e277eedcb63a

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
219B

MD5
35a3e3b45dcfc1e6c4fd4a160873a0d1

SHA1
a0bcc855f2b75d82cbaae3a8710f816956e94b37

SHA256
8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

SHA512
6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e7ec113587ae21bacbed70d7faffa07

SHA1
a88d71a3d55f9b29172f97377fd89af1f78f8687

SHA256
909362f53ce1988089736eba0cac0b954cdb9b0c7454292e9b5c463245d19eb1

SHA512
359e23d0200f17598239ef64c1227879d67a1cad1d644395f65bdfe0152d08be6271cada3d5132eb8e0a174f241c48861d955a9370ae005d5982d52f49e5150b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b9ad4325c06706549d73bc8c456e70c

SHA1
7b2ef417ecd09f12db590b2b7137cb7ea688fa6d

SHA256
45f9f37e2a572c3532a11e6a485ce726e596839ed570f47211f481538583dc6c

SHA512
0abccecf8cb226f2c8d5e266453f84c8021d349f9f64bf13e37d67648ad1a455875464a523bd4a69c6d61f6c80f3ae4f8e7305cee82393c984e3aa77ed107a53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bb6287b5a7c7531f8b4b0410fd8bc13

SHA1
4e877f894db6b15b657337f7c89f323dacc719f0

SHA256
4c8e93d30b24742b0ee3a0b422182e56f7275d8ab10b5b364ad37b1ed057e3e5

SHA512
33e3979ea8fd7e96067fd5da6fe349e5449255aa714ed5a1c5d145e4eda35a455cffc4f5e3cae04aae346d3cf94d6b597b1c5c2035718c74e0d98c035dcdb900

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14632735ed05317a6b244d4ac43fb320

SHA1
f71a82d1da59bf8b318cb01011be59bfb42276ad

SHA256
ad159c3cdd66d6ce664f3f8ccb94ed14fd652786333d0fc0e691925b870b2967

SHA512
f399f626a0e22039a4697d193f5abd2a25b487cb5f54a1f591466d95f45b2983aad9d258ee9430ecd901b63d96815e5040b67eb3f5c68b232ef04d07c5af90c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae44ce766d5cf9db04a23e4320bc878e

SHA1
15b0e031417458780d5364cfbe244505e1b99b47

SHA256
5bf443343debe5a039ac3d85464f25ffa7d21c87d7fb99dc01d7e1e2b6b527b0

SHA512
3599413f6eb54b4286fd10aeb951aad6041ee269aa40be31a3a1215171c3cc334d64c6e0392f605956f22750c20e72aaf6232144968b3924291f59f91d043041

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f228a27822c3d71af3c591a214f28b53

SHA1
fd3878f18be2bc57be9b8f8dd709a849e14d4584

SHA256
d43b33e822b112f8d7a93e3b074ced2def57251e4cd94b5544d2639af4fc1856

SHA512
2dd65d647eacb62c41526013eb9dc9ee8721fcbc2c71dadeee4e5cb5a2d867dabd79dc1121aee7d59c51a114c6e7f1110ca1924a25301350c1fca79232be1c05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4a92d5ec6c7cdfc3d973ca89f73c899

SHA1
2a833187fcf3c9cff6ce9e87d6869baf1520240a

SHA256
8edb97f3091ac7e216f90b71b8c2853ba5d7f4e5847e63073d21308d5a69eee4

SHA512
bbb3e183f9082a8c04181643e282a319cd321818482fe2fc25d4feb5abd955f68d056b5925bcd24956c67ccf919cae10770298ee401830dcafd36d1800354158

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f88bebac20dba30515df8af5d48c8eca

SHA1
1b511d01a9fb9ef1ef03248c48ae2128c20a9365

SHA256
b2bbfb94999f6e38b5084e0bdacf4dede21a65874c876fc3b1f0d4e1f55fe228

SHA512
b7cdae2efe470c4c07cf7ed1daebfd36f2683dff48143caa1f0aa76317a93a7142175e942125abc33ad0b3fc961dc394e55764178fd5daa7edf21a1b6922f313

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23c64f825ad737f042bf565923727777

SHA1
7c67e194af5e7517462b5c96f0e1b1248df9144a

SHA256
c0aee5f4753616cbcf07e50fb7d3cbd23d08b8a7e99f22823bac6022eb6ed649

SHA512
7648e31642092ef165efc2fd19a8d897015db807c3c7402257da2729ce808565ab6ed2bc434d88eef34c025e7a5d1517e57ba63a2a0361071df09df848b333fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c32873b0eb394a5b3dfb611ea401c72b

SHA1
8fe77675545de7827a4aca27c119cdfd0a0dec3c

SHA256
9d7586b947dd5abe722c5731f9187330d921d20aea2078e0ff70fb24eeddafdf

SHA512
3b24690486f47783f94458906ef3a4b39151d60f33d0e8e31eb2a1d18afae78c1aabde42035c2a74246f0ff88bda94676851db1731dfa5d8e072eec851a8aa47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c489b9c9ff0d9cc4f39ae59f31a13db

SHA1
e55d182bd654258d0f521c04cead4960f27a0363

SHA256
daaaa585a1726d7c5ac06810a92c926a95b3ea37b70ce85ad59e9595955f41a7

SHA512
a65911deaec6e5387352a45754d75ea3d1e836056d2d7606e1d3c43f0162c8d58a45249c58b7c6becfee675e0dd68ddaf0cfd941273ea9947285cbb56b24569b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37bf466fd726c8d9709a8588319705f1

SHA1
ac7a0e3eb42427d686ae9ea3f4d1e258581453e3

SHA256
dc5bb59776f7fd48ad8588defeb14d24a83bd7f83954f2ca72127b6b63690ce0

SHA512
e71fe53ac18df8e7c3455f2d59c634c01c1916f815824897f5d5cf87f6b077c8426a475d6496c7f893f2cb5e28ab474fb0bb8f01d9eae9bb36a2621bad5b93a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
feee607fec122608234eab975f130389

SHA1
42120cc53d5853197a36cc92a410bcaae1aa5c24

SHA256
619ebf3ff8b692c963576d76cc97165e3b6f60212882d6b20828b9d1e7476cd2

SHA512
945abe5db3bc1a04bf805397d311d67cab4663f15cff400e662246fe0cf181505a5f400b7a5714a9ec655e3358f4185c142eaccb75bdd78fe89e65a17cf9da62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe007faff6f24d3ac5075aeca87194c1

SHA1
19447ecca76aefc2523d73f2330b5405308a9892

SHA256
14ad55c7657df460c6032286d073a706c76f574d641f670349aa558ec95a0215

SHA512
b146f3a7b034abd0f31665476cd5990a322e6eab2e868aa905561a0abbe80015617e489a4d0b20b801f772f87586fddb69a5d988b76f9f0b48ba146120221d78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
792aee57909b0ed568ef0bee59b7ec30

SHA1
0fae54bf913e15f50e848caf83d0070e0688bced

SHA256
64281fe2192d0b5be1fe396054b97116006be6d69fb2546f799f2c5c24d13c5b

SHA512
90f268f31f5749da20a1cefd2e523a216da7aded9ef55294cb87d322005e2533ac8c0657e33ceadf477e133c5fd9376a0ff1a1b4c07511929c518ccf3818eeb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eee99d570fcf353ece42cc1b38f58fa5

SHA1
42d7dfcb646bef3f1b2f211fd221288ea8daf9a9

SHA256
c2256976a143656249daf10bee1c852fa37f969991342ec8a9a4e2c1e66f95a3

SHA512
37b80705cd5808184a04899d7127f5766bdc804fdd96cfe9cd9352b3ba23ad825fbb67204b8f481ff8cb0d842a86cbe5c0024b03950cb0e02a29b84295b6f587

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6627e16a027cb6715aa1c6678c7c957b

SHA1
8caea10b083a6c815b5f01a9b42f1de3408f3e57

SHA256
0113658d0e6620458cd7939374f74abe5ddfc3044ed78f0025a3dfd6bacdd870

SHA512
14b99777c38fb75f6659953fafa3eae0a392ee88112ecd63b030069056659b8fcb594f102815283e26510d4182b5bae79de2c7538110a0c470bbf737c4bb6211

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57937083e08d4b72504f48f51d104c65

SHA1
180da5764879c66de6d7b76bb8375e37ef6b0205

SHA256
200ed02a7d38b972701c062e4b6568a13a0364561e1a678dba24d12ade800e38

SHA512
893d4dd9039d1db20b3848a68ff92555e39bdfbeacb21990f1b6dff9c22bd462a7892b6a67237a3a13c44f717b33746095e61d40078db8996856561a1c661f7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac9723f0a6da1084199b971fe50588c0

SHA1
ffc5fdc5ffd6814eecf7a0e74378cb2253257363

SHA256
05b3f5485972b7510bf1402a5ecf308893cb18686d293c885cf2c36614ff0544

SHA512
dd55e724e283b72d0f541cafae8243892dba9afd3cfd8cfe3b7de342a2c82a1bdeee3754c0b478249825d148d5410d2f0876b2a0f3e93d573c4613cefdebce03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CBFCCF31-20E4-11EF-AF73-469E18234AA3}.dat

Filesize
5KB

MD5
5ac3ee5231cd880ae306d79ffb954ed5

SHA1
58a3403cf5f5833a10320fd03788c6098b225095

SHA256
151bc2b3c774dc705ed508fba2999b367546b2033f57e58d0090166c4030ccfd

SHA512
77907746c11abbc1d2f43bc0fb8d98d0b41efd38e388f9795777660e262483cd657141c4a7094f1bf9bbd1a882620dc32a8952421ce13fa091cfaf6ef38f156f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1881.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar19F1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\TapiUnattend.lnk

Filesize
1KB

MD5
2f8bca94ea4f59133b47f8767ad7689b

SHA1
65184055879df101bd9caca1750b62e030306c19

SHA256
86784edfe7e85bf00100d5f88abc8e585212c3723b40653d92d9d8876b87b757

SHA512
a2dedff168c07cb9c73f91db8380d16da3e311bd10256d5a3409cc05526ede95e5c2355b847e421de89623a6c4331b9f74be3769a71b1a6e5b2e7aa7f12bb265

Download Submit
\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\TapiUnattend.exe

Filesize
344KB

MD5
270b70bad151a515136f553e5bc880ac

SHA1
77b7def336c7647c6faadaf7136d70ff1e9ba7fc

SHA256
db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa

SHA512
c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f

Download Submit
memory/1540-28-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-469-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-446-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-442-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-441-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-452-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-489-0x0000000003F90000-0x0000000003F92000-memory.dmp

Filesize
8KB

Download
memory/1540-461-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-439-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-465-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-25-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1540-444-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-468-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-449-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-471-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-473-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-477-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-976-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-479-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-23-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/1540-475-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-14-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1540-17-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2408-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2408-0-0x0000000000130000-0x000000000014E000-memory.dmp

Filesize
120KB

Download
memory/2408-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2408-1-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download