cerber | 27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

Analysis

max time kernel
128s
max time network
130s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Size

186KB
MD5

8ec363843a850f67ebad036bb4d18efd
SHA1

ac856eb04ca1665b10bed5a1757f193ff56aca02
SHA256

27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8
SHA512

800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684
SSDEEP

3072:TFFzdn1bwoWwW8BplOd4G5ts0RTy/L1yib5icNisjx3jUiXy:TFFzvwoWw3BXOdl5Ts1yw0s13jU5

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.zmvirj.top/BE33-2456-6225-029E-D33F | | 2. http://cerberhhyed5frqa.qor499.top/BE33-2456-6225-029E-D33F | | 3. http://cerberhhyed5frqa.gkfit9.win/BE33-2456-6225-029E-D33F | | 4. http://cerberhhyed5frqa.305iot.win/BE33-2456-6225-029E-D33F | | 5. http://cerberhhyed5frqa.dkrti5.win/BE33-2456-6225-029E-D33F |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/BE33-2456-6225-029E-D33F); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.zmvirj.top/BE33-2456-6225-029E-D33F appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/BE33-2456-6225-029E-D33F); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/BE33-2456-6225-029E-D33F | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.zmvirj.top/BE33-2456-6225-029E-D33F

http://cerberhhyed5frqa.qor499.top/BE33-2456-6225-029E-D33F

http://cerberhhyed5frqa.gkfit9.win/BE33-2456-6225-029E-D33F

http://cerberhhyed5frqa.305iot.win/BE33-2456-6225-029E-D33F

http://cerberhhyed5frqa.dkrti5.win/BE33-2456-6225-029E-D33F

http://cerberhhyed5frqa.onion/BE33-2456-6225-029E-D33F

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.zmvirj.top/BE33-2456-6225-029E-D33F" target="_blank">http://cerberhhyed5frqa.zmvirj.top/BE33-2456-6225-029E-D33F</a></li> <li><a href="http://cerberhhyed5frqa.qor499.top/BE33-2456-6225-029E-D33F" target="_blank">http://cerberhhyed5frqa.qor499.top/BE33-2456-6225-029E-D33F</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/BE33-2456-6225-029E-D33F" target="_blank">http://cerberhhyed5frqa.gkfit9.win/BE33-2456-6225-029E-D33F</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/BE33-2456-6225-029E-D33F" target="_blank">http://cerberhhyed5frqa.305iot.win/BE33-2456-6225-029E-D33F</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/BE33-2456-6225-029E-D33F" target="_blank">http://cerberhhyed5frqa.dkrti5.win/BE33-2456-6225-029E-D33F</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/BE33-2456-6225-029E-D33F" target="_blank">http://cerberhhyed5frqa.zmvirj.top/BE33-2456-6225-029E-D33F</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.zmvirj.top/BE33-2456-6225-029E-D33F" target="_blank">http://cerberhhyed5frqa.zmvirj.top/BE33-2456-6225-029E-D33F</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/BE33-2456-6225-029E-D33F" target="_blank">http://cerberhhyed5frqa.zmvirj.top/BE33-2456-6225-029E-D33F</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/BE33-2456-6225-029E-D33F in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16390) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\setx.exe\""	setx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\setx.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe

Deletes itself 1 IoCs

pid	Process
2600	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\setx.lnk	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\setx.lnk	setx.exe

Executes dropped EXE 2 IoCs

pid	Process
3012	setx.exe
1124	setx.exe

Loads dropped DLL 2 IoCs

pid	Process
2304	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
3012	setx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\setx = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\setx.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\setx = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\setx.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\setx = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\setx.exe\""	setx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\setx = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\setx.exe\""	setx.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setx.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpFD62.bmp"	setx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2684	taskkill.exe
2644	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\setx.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop	setx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\setx.exe\""	setx.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423503230"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004e007eca934d9449beef5f265be9cf9700000000020000000000106600000001000020000000945538ca7c9b068156e69981cf38c220bf3aa5a9bdce61cac73909c28b8b697b000000000e80000000020000200000008f57c9ccddf8cd2186f24ed7cdfa6d5ac024608647d14a3347d657404770414e90000000f3a8353b6f6f47a2cc74cb647f3cce7f5aeb1ad912e255a315189f0111df249b457aef04a90e92cb4e0416108f9d00307ed30d11efa5628d531ba73e1da711b200f62f38bc522c8d44d7131f5bf2a4551e418d5bb1eb01c9a22dc0204aa5f8042d8d53b002a6a321f2b1ee781b03322142981691e6685ea9fcbe8389c897925ed11095adb4f0c59aa6bbc645320ed809400000005ab9acc85aee4c406726cc14a71b27bfb490db3cfb2f6afdae6617c8b8c0c4ed1b6e51283d9b9d4108d6c13b16ae7aeca5d9981da87a7b54d48a2e4c702dbe1f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{063539E1-20F3-11EF-9BF8-4A0EF18FE26D} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004e007eca934d9449beef5f265be9cf9700000000020000000000106600000001000020000000a95e7e9e7d2f51cc341f6fe15fbd87f478d9db3c6c334e82cab72143de85778b000000000e800000000200002000000051a5c75b241a77d1ca8855af40664aa6cbb771a3c9fa6fb987fa2cabbcf98a57200000004a5a63f2e8f50833876087a4298640a09232019339cc313fb165f1dd11c2b44c400000006bbacd4afec4d46c8b99f621e2c0bef3a084f7c0bb9bf8c3242a0a1cd76f492af36f4dbd91dffb97202c701855abb49c8860166c82f0409d4237ab2dc6d9d7b3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 207bf1c8ffb4da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{06295301-20F3-11EF-9BF8-4A0EF18FE26D} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2948	PING.EXE
2512	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe
3012	setx.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Token: SeDebugPrivilege	3012	setx.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	1124	setx.exe
Token: SeDebugPrivilege	2644	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1596	iexplore.exe
1792	iexplore.exe
1792	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1792	iexplore.exe
1792	iexplore.exe
1792	iexplore.exe
1792	iexplore.exe
972	IEXPLORE.EXE
972	IEXPLORE.EXE
1596	iexplore.exe
1596	iexplore.exe
3028	IEXPLORE.EXE
3028	IEXPLORE.EXE
272	IEXPLORE.EXE
272	IEXPLORE.EXE
272	IEXPLORE.EXE
272	IEXPLORE.EXE

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
2304	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
3012	setx.exe
1124	setx.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 3012	2304	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2304 wrote to memory of 3012	2304	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2304 wrote to memory of 3012	2304	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2304 wrote to memory of 3012	2304	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2304 wrote to memory of 2600	2304	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2304 wrote to memory of 2600	2304	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2304 wrote to memory of 2600	2304	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2304 wrote to memory of 2600	2304	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2600 wrote to memory of 2684	2600	cmd.exe	31
PID 2600 wrote to memory of 2684	2600	cmd.exe	31
PID 2600 wrote to memory of 2684	2600	cmd.exe	31
PID 2600 wrote to memory of 2684	2600	cmd.exe	31
PID 2600 wrote to memory of 2948	2600	cmd.exe	33
PID 2600 wrote to memory of 2948	2600	cmd.exe	33
PID 2600 wrote to memory of 2948	2600	cmd.exe	33
PID 2600 wrote to memory of 2948	2600	cmd.exe	33
PID 3012 wrote to memory of 1792	3012	setx.exe	39
PID 3012 wrote to memory of 1792	3012	setx.exe	39
PID 3012 wrote to memory of 1792	3012	setx.exe	39
PID 3012 wrote to memory of 1792	3012	setx.exe	39
PID 3012 wrote to memory of 3040	3012	setx.exe	40
PID 3012 wrote to memory of 3040	3012	setx.exe	40
PID 3012 wrote to memory of 3040	3012	setx.exe	40
PID 3012 wrote to memory of 3040	3012	setx.exe	40
PID 2444 wrote to memory of 1124	2444	taskeng.exe	41
PID 2444 wrote to memory of 1124	2444	taskeng.exe	41
PID 2444 wrote to memory of 1124	2444	taskeng.exe	41
PID 2444 wrote to memory of 1124	2444	taskeng.exe	41
PID 1792 wrote to memory of 972	1792	iexplore.exe	43
PID 1792 wrote to memory of 972	1792	iexplore.exe	43
PID 1792 wrote to memory of 972	1792	iexplore.exe	43
PID 1792 wrote to memory of 972	1792	iexplore.exe	43
PID 1596 wrote to memory of 3028	1596	iexplore.exe	44
PID 1596 wrote to memory of 3028	1596	iexplore.exe	44
PID 1596 wrote to memory of 3028	1596	iexplore.exe	44
PID 1596 wrote to memory of 3028	1596	iexplore.exe	44
PID 1792 wrote to memory of 272	1792	iexplore.exe	45
PID 1792 wrote to memory of 272	1792	iexplore.exe	45
PID 1792 wrote to memory of 272	1792	iexplore.exe	45
PID 1792 wrote to memory of 272	1792	iexplore.exe	45
PID 3012 wrote to memory of 2220	3012	setx.exe	46
PID 3012 wrote to memory of 2220	3012	setx.exe	46
PID 3012 wrote to memory of 2220	3012	setx.exe	46
PID 3012 wrote to memory of 2220	3012	setx.exe	46
PID 3012 wrote to memory of 3004	3012	setx.exe	49
PID 3012 wrote to memory of 3004	3012	setx.exe	49
PID 3012 wrote to memory of 3004	3012	setx.exe	49
PID 3012 wrote to memory of 3004	3012	setx.exe	49
PID 3004 wrote to memory of 2644	3004	cmd.exe	51
PID 3004 wrote to memory of 2644	3004	cmd.exe	51
PID 3004 wrote to memory of 2644	3004	cmd.exe	51
PID 3004 wrote to memory of 2512	3004	cmd.exe	53
PID 3004 wrote to memory of 2512	3004	cmd.exe	53
PID 3004 wrote to memory of 2512	3004	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\setx.exe
  "C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\setx.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:972
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:537601 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:272
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:3040
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:2220
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "setx.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\setx.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "setx.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2644
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2512
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2948

C:\Windows\system32\taskeng.exe
taskeng.exe {29DA62C7-D456-4F42-B019-CE421A93C818} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\setx.exe
  C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\setx.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:1124

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1596 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3028

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
225B

MD5
f6d629f2a4c0815f005230185bd892fe

SHA1
1572070cf8773883a6fd5f5d1eb51ec724bbf708

SHA256
ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f

SHA512
b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
87b9ed3177c137754f5ebf46ffb1dc4b

SHA1
8adb6cda09df3cec49580786345c50f4d3053431

SHA256
48e0ae92de4ae15474e14d735054a2522a96989cb92e2a08cd2f30619f3cf439

SHA512
3054796d3079b2ecca914e4c2152d157712a5608fea87ce275f064eb6c32062e0bdbbcfab1bd469bd80ac8e587a0709e50aaf9fce1316adae18d1c46d1af30dd

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
8ab8f8501574c7a9f5bc95dec195608d

SHA1
42c13fbc80e3dbbcb137c4c08edbad457c959baf

SHA256
67222a77cd695ecab670b18a140094d85b56c4816606a20c5411b8c32b2b847f

SHA512
495872fe751150272ffe33b33d080f789e8940c57d29a0fbe5ce198c2d47b6fb4038cc79bdaa37e67a48226ac9e0d31b551580a1b3f608eb2b3ce49f1b848f00

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.url

Filesize
85B

MD5
90bbb5665e259a126893a7fa9ac5d66b

SHA1
6b3c1053365eb6a11da3a1557b0054fc3b334f01

SHA256
f8846fc379a9f94e11382f65db80b9a9ed80278e4b2b42e2db7146daa1c58384

SHA512
2473a1dcbc0e7abe476fc6fb79fd68e26db56c60ee2c15c7c66dd6280d23862a173bfa706de5c2cb3bf871683484c978a331da0faf9b082ed0edb1594ae85c3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f532e2bf7d53c468a6e2a2643c477b7a

SHA1
71e79376bbb979fe428cc4bf44f48805c64b4aaa

SHA256
438457050a68a5b9e6c1c2931169796bdebdf591018baf01ae07926d334ecaee

SHA512
d392d6c4bc5eea727a5b9039dae7f9963fc4401dac28a34ebf6cb01c67dc7e1484f507355fc2f95ea91429d226c985355ffbea2a9a7f201fb235aa32f85223eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9df6fc5755dd3d6b36e93d6d33cd370d

SHA1
5c866bbbb4ef55c79466c63b841ed5776671d4be

SHA256
c71e27bcd5312e33e0eb0ae0b705d2a2161d76d1cdd088f894479e358f004fc6

SHA512
05937fd490a02faa24208cb44fac9e01e60612619c4d716eaf47464cfe157178aa2c6a599c94f057f50ca947ee6594150bc5fd5097fcb8385ed1540e9e58e965

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aff8a23fe9feccd4811dc749460e6cc3

SHA1
bda6208bfa11bdd2c2f34a50f319ce518b789698

SHA256
3cf0d9e548b9c85a158c891c5b853a5e2e6f7664e003a09229dcc5303c834bef

SHA512
bc4a1430c68544fe12d40de3fe2a117a7f1e684c9c0b67d05dda355c37b0522a6c052bd1e7dad9dc79b9b5fce6ed707d009e18282b0a014f6d24c655d811bfc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96b01058a13687bb4be6a099cb3f81eb

SHA1
cddbf6c1afaab067ceac5282ec5f6ec3625780ac

SHA256
761edcb9fd83ab85dad33587d937afdbd116dfb7585f2358a82a16335a356498

SHA512
1555cd2160cf6d30498195adc50188e726b2f70110e40369a2a739a6aa3975d594afb9216e4d17dedf04ed22cf617cda03693d8fe8b9ef4852f4fd2a87d78172

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16b26e73a27e5fd5e004195139a9d906

SHA1
38b17b7de02d7518ad02e4dfe1bdecf2a1902501

SHA256
536401ce5b40ff5b363652ea12f6c22dd432c5131fdab4e115216986d594c782

SHA512
19aa5db02af363a68297a342a8b3b1fc2284b165edcda9cc08d82968a4bbfc9e0e85bb6ca38d6d8bb46446599f0c0a794fe1c80ae958079d84850dd4398611e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06f372b2301a907d71debf965a454c80

SHA1
e2c687d8d3f61f14db120a1f81daafac003f6abb

SHA256
3063b42fc5b66b782d354ff068eaee6169893677bb81cc5726fae4724d0ec9ce

SHA512
b7dbf58f70c18be053fbe402d3cbc964b96c042465f7a74cbe32e8fe7a79afe2734ed4bd8164dc4d951a97cd8f95ec950ccc554a0f75a80b9dca7f131139e4a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf9be6bc58dd5bfd11f1a4befd713602

SHA1
1fd1304060e50df2394b9c84048c61f5fad6cb26

SHA256
e4147cfedfbbd5f8e081ebd41ba77548cd80cbaf264f13368e61f2fc31378301

SHA512
3cb054d7b6adfa18551754a63f9367e448cb3fa8840ef8a3e5411ad3dfef56e67d980fbaf5eee60df9c1eba838c034c305586d6f76dcd079d65f70c3f8c13a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c84b78b832c9238119470cbce489176

SHA1
0c02cc9244f460fe335d0c183d4b763548d22d90

SHA256
13a0e6b5a764e2504213692b77be2ace0a521d484880d7dc227b26cce0b83255

SHA512
089a973394412657fb5e4522b2fdea6b53f2945980ee679710a9809da3a2e7bd84fa72c7b6c10ba5742beb20ac1365baa106c7f26d425afa1ffdaa999793b54d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ecf111b2ad402cbe50b53e6abfb2f87

SHA1
3aa0ae1ab2492afb9e870595252e887060e39ca7

SHA256
0ba1e1063872e9dbad88fd3fb34f703ba5b0174efaa17275fbda839dc89fa96b

SHA512
f2ee2eba77c178e4cb72cd5d558d1ec13a25bc5ab6198eef6bd8da5acaf71f3090960450c6c5259d41ca0046536cdd425f6c38b9c3f4c3c48d90527029601abb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8835317c01b349d4ad0b8f0a266f8a9c

SHA1
71523bd60843387dd121d3764bc08a0aa6c33b9e

SHA256
b9919b85988233e7f1bc0376c5b83ebde2d273e7c7ba7d5301395762353368c2

SHA512
7d114826d5a67cc1fc00bc94b7f82924409e7f697d3c1dfaa3aeaec990abc4e51c9b6975ef6f42dcfea436d56867c6fb7beb3526e592661974f4f273c669d11d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6772f73faa2dee0812daf19e544a3b33

SHA1
7b5771a112471372a9e5412e7e23aa94bab27ae2

SHA256
dbc1282fc9feeecec13b631b8a9e94789c8abd090477cc7cde1a8a5ae9e596cb

SHA512
9cb8faebec000cbf34efae255ccd0067f6bc66a78597e4e6bb2e76479156b7dbd089c8d01383171c3b66aa8a4e62a38db886938778cc8703c601cf0957a269b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1665730f2cce86d2f7f46759c4466ab5

SHA1
1d5f23a9c7b9daef9c243bac1f8e2bed8504695a

SHA256
6c4687bb783b30e532060e3acfb6469b37fab31e57b3be5c0e446bfdc9875d64

SHA512
3b52f125a3213b6f909d95776720a52775ce700d7471e44a7b214cc6d0e9993da3a3eeb367d82cb5762ce73b77ce27493dce8231485dcf74f6ae6a0de8173dcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c2047126681d1021de0e53ca27d0ca9

SHA1
dbb4b133237213795ae54f69adbc2779ce8add64

SHA256
fab1cec7455835137e6a46f8ecf03be7a4706dfad5f8322ad6c74e70f7d5aa4c

SHA512
356b892b90f256ca725fc6b2f531e432e18de1ab1303eea347ce8abad25670c3bbadf81a7298553e9a4c0999f2b664cf841a39874eabe12fbd437b029d012dae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
148ccbc370f92f41b2fae8d492ec2ebe

SHA1
1cd280076cf8bedeb6269ae98de259cb9d541716

SHA256
03db3a9648e7a28a44433fdf0a1fcec3735e79744dd0a740e89faa430b497d1c

SHA512
815ebdf7587777be00aba9f26d3cffc3c00753a6b0b493a01a690b6713254e3687e07a9c04864f71859a2a099c40d497ce8783736e70535f3e937770e89ba417

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
754daad0bdb10c451a73fdc2209ffe69

SHA1
13fc387267338b7b5f4c2f740f0b3ee080835559

SHA256
162a6f3cde3709254fe4a26250d85aafac5f5c8d7f1a1d7d1938b2e8dd3c0db3

SHA512
f18f4e48bcd8ea03d56e3e6e563c8de32e55d7c92591eace2a9cffe3ef8a3b806704e4f5179a086c11437a0d124d8d262c03969c8abe2ee67ba543c5c3f04617

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ab48e85a5e8c9fa48e01f33ae5dbafc

SHA1
5e7315b08e85e71e95ebbe34a32b56083c01d716

SHA256
b01461d20572eb27ea477ff22f598fa8b84c4ff40ddf0fa804b8a3696d33cf6f

SHA512
35e5c845f5dcb4ffbca3ce68263d9d6fbebe8ec825de05f806685a5b8f5a01719e4f2874e52602139f19224c21ae027c846190c1320e0f2418ce79f1d7f1f6f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5931961b2c9a8ab18846ae1b24d351e0

SHA1
20590f5e74eab1ba6baa2961825e9877b42825b3

SHA256
6bd456ed7f69f5db48c57219696da1260a95ff7e2a48825fc7043bddab6de9f8

SHA512
50bdc678e70376f404a8a020f24ea8f4966e09b5617cfef2d4c4329a187f1fead86938a9b9019bb14db49b3f2261d422b803f5c635c2a65547b125690997aecf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
022131a125d5490c58de8b752be49623

SHA1
f95ee4ea88a61a4e9910d0b274b4bbfd44840eb6

SHA256
69ae010e7169c5dd8354f2fcee166114f3cd6381c79634defd25425f239c4653

SHA512
bbaecda1768eab45b8eeddda1e3ea165d05383691c2576f584cbe295810ffcb17786f906fba0eabd672636cc27c857345d1492a64dbfb5fa421466c466ecf12b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bd437f0f54f45ba4ba60c809173e913

SHA1
51caa24f6e858317bb96a9c232e70801cde0d6ee

SHA256
a0694aa307c610e844fcca6e2d58c8fcd92fe6d7f98dfe956d60eae909baca0d

SHA512
d253f1c2c8e042f8bfcbf9a895e4f1d9210115dbaaf580b7dcb795532bca8d0b3ae7e5ff4935674adf77f6a064de2894b3be9427aaa2462a8b968797c73b1e0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b148ee69de0b94e163d314c6849fdbe

SHA1
2a9afe47d894ee3e77b51614f23dd2121fd59ea4

SHA256
94573a1c45b5ef89cb5ee723c68b2323bb93075f1679881a7e1e3b38036a2b04

SHA512
aa27dbbefd75c9cb69a3b54c0adc21e299c14f6141be1f3339e7e8e94cadcbf29463ea07272a40f4e062e822da5cf57e62784060ff4a2d57a3cf298569b5c2ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
487895b0aa574cc522a9c10be13472c2

SHA1
3406a9d30df72f2ce2cd7e89d56ea2e477044795

SHA256
2452bfd9e0c5a2210d8b2e9e4c75d6d29e12ccff3759fa0f1d18dff8d7b78ea7

SHA512
700a8ab5dd093188046006452124a07a79ec89903fa5114b5ceb9a757a10d304976c5811d8cd5170652e8ab2ffbf971e932395a5f2204790b0a13457d49b3816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{06295301-20F3-11EF-9BF8-4A0EF18FE26D}.dat

Filesize
5KB

MD5
f9ca5bd5b5910e031ad1eca67bc7acf2

SHA1
6b6ef6515de2bd3c2f9c9ffef24707b9e1bed743

SHA256
e9cb08d01a33590fcfb1fd17b6bb8b4820f4765e064920359f82254c6f94cc66

SHA512
bfe425e0ddb9503907c391dbfe872b710940e4fe2434efeae018b8b67e0cf78ab9a6da562da897dc9b317b8e176c5d5233a392be68ac336d659e68c0d4e2a45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1FE2.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar20B4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\setx.lnk

Filesize
1KB

MD5
d200a3ae5fe71e94691b502e6b89e20f

SHA1
280d5bb21890fff715e70696f5eedbecbbe891d4

SHA256
3e74bfd770d461e887bcde12eaa964317466460c97ef395c7e89ffc72cd07a52

SHA512
cebabc4fc07ca3086c6d8ed48e76a801b22fb572934b822807e92dd10e00393c3b624f95bd7ffc1e17bafdfefa6b3ab47b6b54c531c491b4073189544cfcfe47

Download Submit
\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\setx.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
memory/1124-436-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1124-438-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2304-0-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2304-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2304-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2304-1-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-413-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-929-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-442-0x0000000005EA0000-0x0000000005EA2000-memory.dmp

Filesize
8KB

Download
memory/3012-396-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-386-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-389-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-36-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-412-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-411-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-418-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-421-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-928-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-402-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-422-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-423-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-417-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-18-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/3012-419-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-420-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-425-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-427-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download