cerber | 27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

Analysis

max time kernel
134s
max time network
136s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Size

186KB
MD5

8ec363843a850f67ebad036bb4d18efd
SHA1

ac856eb04ca1665b10bed5a1757f193ff56aca02
SHA256

27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8
SHA512

800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684
SSDEEP

3072:TFFzdn1bwoWwW8BplOd4G5ts0RTy/L1yib5icNisjx3jUiXy:TFFzvwoWw3BXOdl5Ts1yw0s13jU5

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.zmvirj.top/1F1F-F8F1-781E-029E-D4E1" target="_blank">http://cerberhhyed5frqa.zmvirj.top/1F1F-F8F1-781E-029E-D4E1</a></li> <li><a href="http://cerberhhyed5frqa.qor499.top/1F1F-F8F1-781E-029E-D4E1" target="_blank">http://cerberhhyed5frqa.qor499.top/1F1F-F8F1-781E-029E-D4E1</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/1F1F-F8F1-781E-029E-D4E1" target="_blank">http://cerberhhyed5frqa.gkfit9.win/1F1F-F8F1-781E-029E-D4E1</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/1F1F-F8F1-781E-029E-D4E1" target="_blank">http://cerberhhyed5frqa.305iot.win/1F1F-F8F1-781E-029E-D4E1</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/1F1F-F8F1-781E-029E-D4E1" target="_blank">http://cerberhhyed5frqa.dkrti5.win/1F1F-F8F1-781E-029E-D4E1</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/1F1F-F8F1-781E-029E-D4E1" target="_blank">http://cerberhhyed5frqa.zmvirj.top/1F1F-F8F1-781E-029E-D4E1</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.zmvirj.top/1F1F-F8F1-781E-029E-D4E1" target="_blank">http://cerberhhyed5frqa.zmvirj.top/1F1F-F8F1-781E-029E-D4E1</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/1F1F-F8F1-781E-029E-D4E1" target="_blank">http://cerberhhyed5frqa.zmvirj.top/1F1F-F8F1-781E-029E-D4E1</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/1F1F-F8F1-781E-029E-D4E1 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.zmvirj.top/1F1F-F8F1-781E-029E-D4E1 | | 2. http://cerberhhyed5frqa.qor499.top/1F1F-F8F1-781E-029E-D4E1 | | 3. http://cerberhhyed5frqa.gkfit9.win/1F1F-F8F1-781E-029E-D4E1 | | 4. http://cerberhhyed5frqa.305iot.win/1F1F-F8F1-781E-029E-D4E1 | | 5. http://cerberhhyed5frqa.dkrti5.win/1F1F-F8F1-781E-029E-D4E1 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/1F1F-F8F1-781E-029E-D4E1); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.zmvirj.top/1F1F-F8F1-781E-029E-D4E1 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/1F1F-F8F1-781E-029E-D4E1); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/1F1F-F8F1-781E-029E-D4E1 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.zmvirj.top/1F1F-F8F1-781E-029E-D4E1

http://cerberhhyed5frqa.qor499.top/1F1F-F8F1-781E-029E-D4E1

http://cerberhhyed5frqa.gkfit9.win/1F1F-F8F1-781E-029E-D4E1

http://cerberhhyed5frqa.305iot.win/1F1F-F8F1-781E-029E-D4E1

http://cerberhhyed5frqa.dkrti5.win/1F1F-F8F1-781E-029E-D4E1

http://cerberhhyed5frqa.onion/1F1F-F8F1-781E-029E-D4E1

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16390) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\wecutil.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\wecutil.exe\""	wecutil.exe

Deletes itself 1 IoCs

pid	Process
2532	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\wecutil.lnk	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\wecutil.lnk	wecutil.exe

Executes dropped EXE 3 IoCs

pid	Process
2248	wecutil.exe
1032	wecutil.exe
2724	wecutil.exe

Loads dropped DLL 2 IoCs

pid	Process
2768	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
2248	wecutil.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wecutil = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\wecutil.exe\""	wecutil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wecutil = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\wecutil.exe\""	wecutil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wecutil = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\wecutil.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wecutil = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\wecutil.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wecutil.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp257B.bmp"	wecutil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2612	taskkill.exe
540	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\wecutil.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop	wecutil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\wecutil.exe\""	wecutil.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423501972"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50f9abdbfcb4da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{18F70341-20F0-11EF-92B8-52226696DE45} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005279c379b3088f409d04afde19814cca000000000200000000001066000000010000200000004c2db2e51ffaedba92fd4915beb6097aabe2f18ed9fbddddfed2d74fdf040f02000000000e800000000200002000000034aaeb3f00164cccff5482f2d5b14f486d12cacd27bd61b1b8aa11dd581ddf5b20000000a8285523c11abda7d616c0c91e912c7119a64ef2daafa3f536a976219461677f400000002f95fc3573ad363a23c975f2947f4b293c881bd5eb8f9f82bd6dc8bb8e69359c35e3f4dc13d7f776059dbfd084405a17dea925da6e9a4a40a013e1bc86cbed26	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{18EB1C61-20F0-11EF-92B8-52226696DE45} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005279c379b3088f409d04afde19814cca00000000020000000000106600000001000020000000139253dbc345666263037d2e79773f4cab0cbbc66689a9064e18153ef3eaec96000000000e80000000020000200000002e09fa614bc66746a2a4404500603fbf58e7a78defb875a91faddaa959b7f58990000000dd526125c7a406870b761d6d7aca0b4c533a491fda7c5cc4ae1b28ddc31934cd7f9bb21c9fbc36ba02b29a370d62a2ed52e7d1dda43ce43da8a1c60373fed0130a10959215d36d64e2834930a3b1ab6518822f76d1ba9d8f86200fccbd8a3d6ab5059c4a5c2cbc08b2fa10b9f37f9f49fca90cb4912094c8fcaf80d263ac3cded4d304fd4626ff71eff9ac850f76fa32400000009f31fdf777ddcf3a28569b71cd0967b5e772312fd814650680db14650be32fdd4c8ce14e39542621c3edd1e5a71aaaf252d898e7dc582378659e558ca699fad4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1892	PING.EXE
1136	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe
2248	wecutil.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Token: SeDebugPrivilege	2248	wecutil.exe
Token: SeDebugPrivilege	2612	taskkill.exe
Token: SeDebugPrivilege	1032	wecutil.exe
Token: SeDebugPrivilege	2724	wecutil.exe
Token: SeDebugPrivilege	540	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
580	iexplore.exe
1948	iexplore.exe
580	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
580	iexplore.exe
580	iexplore.exe
580	iexplore.exe
580	iexplore.exe
332	IEXPLORE.EXE
332	IEXPLORE.EXE
1948	iexplore.exe
1948	iexplore.exe
1720	IEXPLORE.EXE
1720	IEXPLORE.EXE
1720	IEXPLORE.EXE
1720	IEXPLORE.EXE

Suspicious use of UnmapMainImage 4 IoCs

pid	Process
2768	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
2248	wecutil.exe
1032	wecutil.exe
2724	wecutil.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2248	2768	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2768 wrote to memory of 2248	2768	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2768 wrote to memory of 2248	2768	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2768 wrote to memory of 2248	2768	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2768 wrote to memory of 2532	2768	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2768 wrote to memory of 2532	2768	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2768 wrote to memory of 2532	2768	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2768 wrote to memory of 2532	2768	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2532 wrote to memory of 2612	2532	cmd.exe	31
PID 2532 wrote to memory of 2612	2532	cmd.exe	31
PID 2532 wrote to memory of 2612	2532	cmd.exe	31
PID 2532 wrote to memory of 2612	2532	cmd.exe	31
PID 2532 wrote to memory of 1892	2532	cmd.exe	33
PID 2532 wrote to memory of 1892	2532	cmd.exe	33
PID 2532 wrote to memory of 1892	2532	cmd.exe	33
PID 2532 wrote to memory of 1892	2532	cmd.exe	33
PID 2856 wrote to memory of 1032	2856	taskeng.exe	35
PID 2856 wrote to memory of 1032	2856	taskeng.exe	35
PID 2856 wrote to memory of 1032	2856	taskeng.exe	35
PID 2856 wrote to memory of 1032	2856	taskeng.exe	35
PID 2856 wrote to memory of 2724	2856	taskeng.exe	39
PID 2856 wrote to memory of 2724	2856	taskeng.exe	39
PID 2856 wrote to memory of 2724	2856	taskeng.exe	39
PID 2856 wrote to memory of 2724	2856	taskeng.exe	39
PID 2248 wrote to memory of 580	2248	wecutil.exe	41
PID 2248 wrote to memory of 580	2248	wecutil.exe	41
PID 2248 wrote to memory of 580	2248	wecutil.exe	41
PID 2248 wrote to memory of 580	2248	wecutil.exe	41
PID 2248 wrote to memory of 872	2248	wecutil.exe	42
PID 2248 wrote to memory of 872	2248	wecutil.exe	42
PID 2248 wrote to memory of 872	2248	wecutil.exe	42
PID 2248 wrote to memory of 872	2248	wecutil.exe	42
PID 580 wrote to memory of 332	580	iexplore.exe	44
PID 580 wrote to memory of 332	580	iexplore.exe	44
PID 580 wrote to memory of 332	580	iexplore.exe	44
PID 580 wrote to memory of 332	580	iexplore.exe	44
PID 580 wrote to memory of 1720	580	iexplore.exe	45
PID 580 wrote to memory of 1720	580	iexplore.exe	45
PID 580 wrote to memory of 1720	580	iexplore.exe	45
PID 580 wrote to memory of 1720	580	iexplore.exe	45
PID 1948 wrote to memory of 2812	1948	iexplore.exe	46
PID 1948 wrote to memory of 2812	1948	iexplore.exe	46
PID 1948 wrote to memory of 2812	1948	iexplore.exe	46
PID 1948 wrote to memory of 2812	1948	iexplore.exe	46
PID 2248 wrote to memory of 2708	2248	wecutil.exe	47
PID 2248 wrote to memory of 2708	2248	wecutil.exe	47
PID 2248 wrote to memory of 2708	2248	wecutil.exe	47
PID 2248 wrote to memory of 2708	2248	wecutil.exe	47
PID 2248 wrote to memory of 1400	2248	wecutil.exe	50
PID 2248 wrote to memory of 1400	2248	wecutil.exe	50
PID 2248 wrote to memory of 1400	2248	wecutil.exe	50
PID 2248 wrote to memory of 1400	2248	wecutil.exe	50
PID 1400 wrote to memory of 540	1400	cmd.exe	52
PID 1400 wrote to memory of 540	1400	cmd.exe	52
PID 1400 wrote to memory of 540	1400	cmd.exe	52
PID 1400 wrote to memory of 1136	1400	cmd.exe	53
PID 1400 wrote to memory of 1136	1400	cmd.exe	53
PID 1400 wrote to memory of 1136	1400	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\wecutil.exe
  "C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\wecutil.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:580 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:332
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:580 CREDAT:537601 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1720
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:872
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:2708
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "wecutil.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\wecutil.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "wecutil.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:540
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1136
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1892

C:\Windows\system32\taskeng.exe
taskeng.exe {8EC44120-6E78-442C-BE10-3A61423F9D2A} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\wecutil.exe
  C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\wecutil.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:1032
- C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\wecutil.exe
  C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\wecutil.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:2724

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1948 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:2812

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
5888f000a41f89424c104b357ddecdc0

SHA1
67a942f77ad96d81107567d2be22441ee4337591

SHA256
3cff79f5bfeaec8b16495e7c52327c2964d20b98a7d2da125b99b1663911d19e

SHA512
e4b6abd53e7c3697f3fc1dd5f8938277ff6fcebaec24853dd8d2065a1a0726a346d2d7c7342864eb13b557f31466c7eee55848e92fd157e980968c852790e507

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.url

Filesize
85B

MD5
4d958a318de740d7b9d811d426b123ed

SHA1
530d5ca893f2f2b21908a77821d067d90bba1eb6

SHA256
0b99395d8744ad4dd08a216df60d9c1e0f78c2f91ae9597e237ffdfd256b9a80

SHA512
b6241a883b51820f76e552f4781614b399d7f3a761605aa5545ab9c8ef8b17bebc3ea13af09e062bfeef164eb940ac92fe294caa8ed24031b8a5bed8744aeb1e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.vbs

Filesize
225B

MD5
f6d629f2a4c0815f005230185bd892fe

SHA1
1572070cf8773883a6fd5f5d1eb51ec724bbf708

SHA256
ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f

SHA512
b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
65bf8baba5ea8f417323465fbcfdc86d

SHA1
46ebd3550a64c33454b581a6e074a32abf45c7cb

SHA256
c5bac8be907105171e58c31602fc49668f46079d5553d9cb0ed6939d792767f4

SHA512
7ac67f43663cb1b522de9d83277f2385570eb30d4bd00df5ea5b7e760b3d414847214a8110a5aec3d6545f786d5196e9074cb7936bef7abc859574534d177abe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a28dc25b47a1a82cfddbffb387aee814

SHA1
34a8da82591aaff25cc811913c0a678b4f352554

SHA256
32438cd137e37c10014ba4c745a8ec30753ce99c2b83d0540e2e4fdbfbf5ec80

SHA512
3f9e02227f9350e688bc74a2547b3307b8282181521eb84bdb21feb99a58128c3fcab7e3fb77f63364d51347f080e50bfe33df5e086f0c85eaf4c1dea411632f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa1b439d895e1447313ae6e07ee4d5d1

SHA1
ac6393bf634782e5d454e2c985816a6fd74a27be

SHA256
fc38dbde4f46f65611d0c584cf52b1b0add3ac52032b14a4dc59043b64ad6db8

SHA512
cb1dbbd2a25f06ec619ee598a46851e1975217ea486b22bc1bc73d6abedd66f144df3dcd67dd43593736965959b10be10fab9995b1970cd1854bdb707a1d9013

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b07e17e0e9c104aa66037584b59b913

SHA1
274357d0fde5f42dc936b0566fb9b75435cee800

SHA256
552b1471fd5f5c195c286d83f950c361a64b04de0a10ecef7a29ce15c97c57c7

SHA512
adbdcca6ae20914a83aba41327c2a556c5e2beb23ef2e778f8a31347fa54a7a0d569ebd52706b50d5d8b0cee20bb08eb1c4126ab2403b16224c68ccb62f4e75b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02b6486789094e42d8d1795d01f38935

SHA1
e966da9f07c31fbb3e9e23a4b78d35f9d0ef5407

SHA256
7aed3c3adc28a3bed738bb034901a8ad2f8f1d8e5123222018dbf7d68fd19406

SHA512
c562f06fc7c561c25a8c02ac40c69f8db2a3db01be251d4a42e4bc23346ed8695e0057f552dad7202e518c9eb1a5ac57ba11f7da499a2c35f14f4e6f078f53e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5ed1746cdc1d3521112475f546b9639

SHA1
13cc572f7e96cc6265c28d0931524990c513457f

SHA256
477b8e7f236a9960e94797ce0ad5090e5abb1f9eac771c38e2f0c0126a4b4670

SHA512
a223f82c74b1fb3645de546d94538fb0e2d7b2fb75ca21fd4b71c1bc458e868c2c4b95c596dc3be19b0b2ab7ea438dd1b35ad1826d460b30b9a6d91dd73a4964

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90036d6d3560f98a2ba99d401efad727

SHA1
98e466c3f029473af6f5759fddc30da5ab1dc85e

SHA256
10872118c7fa7fde841ed27df77cd5c295216a35129391b97e94576a6620b405

SHA512
86c7d8ad34f069e5cab3c0c21066420f37b083f88ed03c3bd3aa4297347bc978a7a3f59e5513e4a3a801d8eeac3a3c338e2a3134e898585e674d12ff7065a486

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f8bcd7f6cc805759192433cd5878b5f

SHA1
10d9700a67606d94bf83a6d3924d87e65aa11f8b

SHA256
66e09c0a02dc688a8c5458e6afa9b79cd82107f44d8548edb82be667e5d70926

SHA512
cea1eb047e3164bfe2791db116df13f2548dd92a702dd31a13ec747985b06460a8497908b6d8370b6b58977c932606123e3fed60ab4fa55745a9455a5a8cefbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43e93603fccf87ee00e8a0fcd6c51a36

SHA1
69ae66a58dc83a18db5858b882e9f426bbf330d9

SHA256
0851e71f915acb90cccefd42bbf57a0b9ca1aef6094ab67b06afa9fa3d60e604

SHA512
ca46ccbad926a218749c4f226763fcbfada0930c8f3ce18e44037b3e2ab98549398441d0f5063e2487a90cb84b0ce39a86e335b2dac240e4ecaefe547269a602

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04da6c5880744269b25973ffb9233143

SHA1
6caf3729e70401332f93d7e47ecd22161adc06fe

SHA256
17ff23ba5d05c1a83caae8cfde4424946bc94f0b46e9024f09febe690ad13637

SHA512
95e87bb809673e3f2bada2ad892127462a2f6c24f03f0ab7c26391c17a087767fd828b917fd6e5472e69dc11d1f1684f0215f8ab9c1bd4415838f85153f23df3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b797c37f0eef0f52affc2ec96b823951

SHA1
2138584fff5846a47c042bd71c1dc981c4c65650

SHA256
368e9cad9575708919a562e3a5f2802ecad6b5f5fa0ebb2b307da91dac989ffd

SHA512
96fab155b638d1fa292415a15221d96f5e7c7fdd0a78239ee01a403ef162cd5dcbe420be0b0684dbb30da08c62ec02614b0bebbd095f00591dd0d6e201a9473f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e7cb5fe27912acad2d069b6eda0eba7

SHA1
e611cfcda0529c34b8066b1dbcd40a14497d6744

SHA256
85f895357371a0512e614ddf6a01d01c441f5162ef981b914015b9b4d4a08610

SHA512
034b66d7136a3ddd9ea33102e229f4372cb544b42b9e551255bf55972bdec3c4781acd5a63e7789611719f814b3621ea952db629987ce3f33e52fb95ee7270fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb4c6d770977d97518179d3575c929a9

SHA1
99ecc85701c3b2f80716d6db0764ec8e83ab6b02

SHA256
bc243ddcec063e9235549be8d947bf3239c195e7aa9e69f1d5a734e084a347ba

SHA512
3afe2678d24ecc04bc85e8867a30db0080d2367c823e64e3f5578c71587ec6daab6edec6b6453cd2ca77204aac94123ce153983d473d07e0e7e3b0f43dfa6884

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da4be0dc0a8c93383b90c6e114a67a90

SHA1
36cab9181d453e7d95904e04937d3739ba251cb4

SHA256
39b20532d084c0585fe1b289225ae6e397fab04b21e4eafa0e9a79c7443113dd

SHA512
1b01238adf8b226ba84f0a192bd9a5902447719cbe9d33af212cc580b26739a662ae7c0c8f4bcd861f2a39a51360d875a4182eed025545df9ce9e280e863ff36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d2f5f5df2d209e69dc3771deebc9d5d

SHA1
cd32679c07131f323ccd422853e3dd98339439a7

SHA256
cbca2860fda8fcb10202b49e8102be9849676bb52c8d2894fd8e23980e2e6df3

SHA512
c466334a3f6d772c8252ffee9ca577a58b1b2adbdb9e4a02c0e4ff52d1eee8675fcc0dbbb2757a35bd0866436c719c5a11cd1bf7598bdc4c7622a18f603734b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b234271d6dba937831d09fb452d5f5e

SHA1
e82984204c958cdfc4f66650909c12688b40748f

SHA256
18d55bfc2b3064109d3ddfd9647b62b9a7526e4a0c4041614b3345d1cde5368a

SHA512
004b405d77966096d2fba8466b1cdf0c6c9d258ecf6dea2908305ae1daa94ea015c0b8b97eb931798f84afb8871d84f74bef0412755c4de1d9eb3d01948c3f39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e5dcc9568f33ac4af2d47cb939de69d

SHA1
752e1aca1691f0b23e2aca5908efe330139bb0ca

SHA256
6a06b4d8dc4532417a28bb6358ea2a903534c650c8274b20c162bd85033cacd0

SHA512
26701aab5c31a571892daf608729ba399409b29970affa2a488828d7027dc0d93a417318a682f001b1ad77dfbd881b1841f57c415f110e32d1e4b220ba2ffa6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d197098d655e22aff517b066ddec456f

SHA1
755173db6cf59d6ffe35c1f07b6c717e31d256da

SHA256
ab8da32443ae1eeb7cf1924d948600670c270019f3438dfa4b5e1184a16d9d79

SHA512
0aa77d21cb4d79035aeb158abd28bac326dac59ee6aac109af63d54a04149244913815966018f4fb44a0b84d99bd3a0faa25b5cfdb92c0fd8644ffc1e2d8dc69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26669d6cb75671566f6f3e793b7c18aa

SHA1
5e598fc56a444d6cb69b89369c7939ea13ad6289

SHA256
921f28619c977cdca7d0ba5560b583cd4d3d2d1196ecab462c9c57bf5c12b4b0

SHA512
90356fe6ff84d1082a83fb91d288a48ce7d389596f733d1f959949f2753d6c80f46cef4a0dafcee985cb825fdce32916a661b036a398fa332d4ba96f90b73f93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42cd185c41dc725c2f431634069587a4

SHA1
3433b3d05268d4a38e65eb8a896e8d2be00afca3

SHA256
8bfdf962d3b8cc899facf86400a7422eb3e879c9e91fb2a166e42ba3f1fcf5dc

SHA512
347b526baa18101eb9b2c759c676180ccac499ce1f9525bc1b8866878698615d9ce6edeee571490d5ba568c9e6e0da13d3e96e5cd58c6ada71c8719182f03cb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{18EB1C61-20F0-11EF-92B8-52226696DE45}.dat

Filesize
5KB

MD5
9aa0491e8d89e0d7e637a0dc7fd20bfd

SHA1
1026277e5e04125136e61e6796bd4e88b6c08b15

SHA256
4f685ccead3af6c5760fa02627a579399eccaa6bfd2925dca2b17ec4ce732697

SHA512
51a0d6112846b840b34b9cda65f7cef538f249515c4e72c2a4c70f10d4e44c00bc0b01532f4459ac4c1b4456bdbb27c5f939a5fc70047db31cbf7e3f82fdadd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3C48.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3D1A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\wecutil.lnk

Filesize
1KB

MD5
719b84f4cee60e0b5d198e9df00cc3bd

SHA1
87ffeefe83f35ac372808f595be436e0b11029b4

SHA256
b0a8a930736235a9cd57f3075a03df2498a8ab484be190629783dc43afe6a418

SHA512
29e066baf45d059eae9406ef242d4a115949bf692212a8a7b987a95fc1a3d7c9b9efed202aee74c57780e5f87d597d43b9f50ea570968b1788d510724ad14ecf

Download Submit
\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\wecutil.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
memory/1032-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1032-23-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-461-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-19-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2248-455-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-468-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-470-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-428-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-11-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2248-429-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-484-0x0000000003770000-0x0000000003772000-memory.dmp

Filesize
8KB

Download
memory/2248-466-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-28-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-465-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-27-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2248-462-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-453-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-447-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-441-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-450-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-970-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-972-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-444-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-433-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-458-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2724-473-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2724-472-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2768-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2768-0-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2768-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2768-1-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download