cerber | 27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

Analysis

max time kernel
126s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Size

186KB
MD5

8ec363843a850f67ebad036bb4d18efd
SHA1

ac856eb04ca1665b10bed5a1757f193ff56aca02
SHA256

27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8
SHA512

800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684
SSDEEP

3072:TFFzdn1bwoWwW8BplOd4G5ts0RTy/L1yib5icNisjx3jUiXy:TFFzvwoWw3BXOdl5Ts1yw0s13jU5

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.zmvirj.top/486A-E76B-ABBC-029E-DA0B | | 2. http://cerberhhyed5frqa.qor499.top/486A-E76B-ABBC-029E-DA0B | | 3. http://cerberhhyed5frqa.gkfit9.win/486A-E76B-ABBC-029E-DA0B | | 4. http://cerberhhyed5frqa.305iot.win/486A-E76B-ABBC-029E-DA0B | | 5. http://cerberhhyed5frqa.dkrti5.win/486A-E76B-ABBC-029E-DA0B |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/486A-E76B-ABBC-029E-DA0B); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.zmvirj.top/486A-E76B-ABBC-029E-DA0B appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/486A-E76B-ABBC-029E-DA0B); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/486A-E76B-ABBC-029E-DA0B | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.zmvirj.top/486A-E76B-ABBC-029E-DA0B

http://cerberhhyed5frqa.qor499.top/486A-E76B-ABBC-029E-DA0B

http://cerberhhyed5frqa.gkfit9.win/486A-E76B-ABBC-029E-DA0B

http://cerberhhyed5frqa.305iot.win/486A-E76B-ABBC-029E-DA0B

http://cerberhhyed5frqa.dkrti5.win/486A-E76B-ABBC-029E-DA0B

http://cerberhhyed5frqa.onion/486A-E76B-ABBC-029E-DA0B

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.zmvirj.top/486A-E76B-ABBC-029E-DA0B" target="_blank">http://cerberhhyed5frqa.zmvirj.top/486A-E76B-ABBC-029E-DA0B</a></li> <li><a href="http://cerberhhyed5frqa.qor499.top/486A-E76B-ABBC-029E-DA0B" target="_blank">http://cerberhhyed5frqa.qor499.top/486A-E76B-ABBC-029E-DA0B</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/486A-E76B-ABBC-029E-DA0B" target="_blank">http://cerberhhyed5frqa.gkfit9.win/486A-E76B-ABBC-029E-DA0B</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/486A-E76B-ABBC-029E-DA0B" target="_blank">http://cerberhhyed5frqa.305iot.win/486A-E76B-ABBC-029E-DA0B</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/486A-E76B-ABBC-029E-DA0B" target="_blank">http://cerberhhyed5frqa.dkrti5.win/486A-E76B-ABBC-029E-DA0B</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/486A-E76B-ABBC-029E-DA0B" target="_blank">http://cerberhhyed5frqa.zmvirj.top/486A-E76B-ABBC-029E-DA0B</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.zmvirj.top/486A-E76B-ABBC-029E-DA0B" target="_blank">http://cerberhhyed5frqa.zmvirj.top/486A-E76B-ABBC-029E-DA0B</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/486A-E76B-ABBC-029E-DA0B" target="_blank">http://cerberhhyed5frqa.zmvirj.top/486A-E76B-ABBC-029E-DA0B</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/486A-E76B-ABBC-029E-DA0B in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16390) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\PkgMgr.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\PkgMgr.exe\""	PkgMgr.exe

Deletes itself 1 IoCs

pid	Process
2052	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\PkgMgr.lnk	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\PkgMgr.lnk	PkgMgr.exe

Executes dropped EXE 2 IoCs

pid	Process
2940	PkgMgr.exe
1672	PkgMgr.exe

Loads dropped DLL 2 IoCs

pid	Process
2868	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
2940	PkgMgr.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\PkgMgr = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\PkgMgr.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\PkgMgr = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\PkgMgr.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\PkgMgr = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\PkgMgr.exe\""	PkgMgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\PkgMgr = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\PkgMgr.exe\""	PkgMgr.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PkgMgr.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp1D5.bmp"	PkgMgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2736	taskkill.exe
1008	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\PkgMgr.exe\""	PkgMgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\PkgMgr.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop	PkgMgr.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DC676F71-2354-11EF-A965-CAFA5A0A62FD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DC735651-2354-11EF-A965-CAFA5A0A62FD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003d1214c02a08c24099ac605d0e586e200000000002000000000010660000000100002000000030099d6fde6aa7d2ad0c00e9a4528b09ab565755615710800b7c9ad898759744000000000e8000000002000020000000da1f6273a7785f54e95fce5ee58aa3090161b671d167ef94156b5b30b1d0b7d0900000001ff8708a54284c3678a878cde09c310b7afd79b390fc63ec23aa52513db6c320d9d3d364d0bc19974a29318f69d2a3337e45adb919496ad8c56a3a62759d770c9823e26c5fa4b03c6af4c00cc075298e3e55cb4f8a55f73a9193a90d88e891d7e537d483ac7083d71a2a8f3bf2ce1fcb10b0ffba15496327fc53ac81795988b038e3da02a531a3b3d760518d23d885b1400000001802c3781638454d01fc14384b5d792060fb0c55702907475dc213a978c3e54bc4520858ffb06463ce2138e3386c124af9cbdcad5e367002172784966aeac032	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003d1214c02a08c24099ac605d0e586e2000000000020000000000106600000001000020000000f561b47c1f2ad98d2d87e0e4d7826d272d612122bbaccf8fd4d7e9b31843f3a7000000000e80000000020000200000009485b9f9af0ebdb450ebdfca62169b97d1cac4406f304abedc88f033726bf11820000000de061a184fe7308778bc4716c3a70a2007a0b7bfc10bd57893617d8c83f929de400000003747376d1f2a350a338a5f4f83acb8f11caeb7c776c459ae394bd662ec6fc72547428a7686416407722671fb1608c1830882a7234e013f171692e64401050448	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423765153"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5012bd9f61b7da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2788	PING.EXE
2992	PING.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe
2940	PkgMgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Token: SeDebugPrivilege	2940	PkgMgr.exe
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeDebugPrivilege	1672	PkgMgr.exe
Token: SeDebugPrivilege	1008	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1876	iexplore.exe
1876	iexplore.exe
2160	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1876	iexplore.exe
1876	iexplore.exe
1876	iexplore.exe
1876	iexplore.exe
1856	IEXPLORE.EXE
1856	IEXPLORE.EXE
2160	iexplore.exe
2160	iexplore.exe
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
2868	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
2940	PkgMgr.exe
1672	PkgMgr.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2940	2868	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2868 wrote to memory of 2940	2868	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2868 wrote to memory of 2940	2868	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2868 wrote to memory of 2940	2868	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2868 wrote to memory of 2052	2868	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2868 wrote to memory of 2052	2868	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2868 wrote to memory of 2052	2868	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2868 wrote to memory of 2052	2868	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2052 wrote to memory of 2736	2052	cmd.exe	31
PID 2052 wrote to memory of 2736	2052	cmd.exe	31
PID 2052 wrote to memory of 2736	2052	cmd.exe	31
PID 2052 wrote to memory of 2736	2052	cmd.exe	31
PID 2052 wrote to memory of 2788	2052	cmd.exe	33
PID 2052 wrote to memory of 2788	2052	cmd.exe	33
PID 2052 wrote to memory of 2788	2052	cmd.exe	33
PID 2052 wrote to memory of 2788	2052	cmd.exe	33
PID 2628 wrote to memory of 1672	2628	taskeng.exe	36
PID 2628 wrote to memory of 1672	2628	taskeng.exe	36
PID 2628 wrote to memory of 1672	2628	taskeng.exe	36
PID 2628 wrote to memory of 1672	2628	taskeng.exe	36
PID 2940 wrote to memory of 1876	2940	PkgMgr.exe	39
PID 2940 wrote to memory of 1876	2940	PkgMgr.exe	39
PID 2940 wrote to memory of 1876	2940	PkgMgr.exe	39
PID 2940 wrote to memory of 1876	2940	PkgMgr.exe	39
PID 2940 wrote to memory of 1068	2940	PkgMgr.exe	40
PID 2940 wrote to memory of 1068	2940	PkgMgr.exe	40
PID 2940 wrote to memory of 1068	2940	PkgMgr.exe	40
PID 2940 wrote to memory of 1068	2940	PkgMgr.exe	40
PID 1876 wrote to memory of 1856	1876	iexplore.exe	42
PID 1876 wrote to memory of 1856	1876	iexplore.exe	42
PID 1876 wrote to memory of 1856	1876	iexplore.exe	42
PID 1876 wrote to memory of 1856	1876	iexplore.exe	42
PID 1876 wrote to memory of 3000	1876	iexplore.exe	44
PID 1876 wrote to memory of 3000	1876	iexplore.exe	44
PID 1876 wrote to memory of 3000	1876	iexplore.exe	44
PID 1876 wrote to memory of 3000	1876	iexplore.exe	44
PID 2160 wrote to memory of 2752	2160	iexplore.exe	43
PID 2160 wrote to memory of 2752	2160	iexplore.exe	43
PID 2160 wrote to memory of 2752	2160	iexplore.exe	43
PID 2160 wrote to memory of 2752	2160	iexplore.exe	43
PID 2940 wrote to memory of 2928	2940	PkgMgr.exe	45
PID 2940 wrote to memory of 2928	2940	PkgMgr.exe	45
PID 2940 wrote to memory of 2928	2940	PkgMgr.exe	45
PID 2940 wrote to memory of 2928	2940	PkgMgr.exe	45
PID 2940 wrote to memory of 2896	2940	PkgMgr.exe	48
PID 2940 wrote to memory of 2896	2940	PkgMgr.exe	48
PID 2940 wrote to memory of 2896	2940	PkgMgr.exe	48
PID 2940 wrote to memory of 2896	2940	PkgMgr.exe	48
PID 2896 wrote to memory of 1008	2896	cmd.exe	50
PID 2896 wrote to memory of 1008	2896	cmd.exe	50
PID 2896 wrote to memory of 1008	2896	cmd.exe	50
PID 2896 wrote to memory of 2992	2896	cmd.exe	51
PID 2896 wrote to memory of 2992	2896	cmd.exe	51
PID 2896 wrote to memory of 2992	2896	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\PkgMgr.exe
  "C:\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\PkgMgr.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1876 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1856
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1876 CREDAT:537601 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3000
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:1068
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:2928
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "PkgMgr.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\PkgMgr.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "PkgMgr.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1008
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2992
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2788

C:\Windows\system32\taskeng.exe
taskeng.exe {E33769C9-69E7-4765-9029-9DA186DA978F} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\PkgMgr.exe
  C:\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\PkgMgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:1672

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2160 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2752

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
a9dd19826857391502220513d7c80657

SHA1
14576646d05cdf140f67f2629cfb387f7b9514df

SHA256
b12fb7dbb557540dae1d39fa5cb87aa6474313b6c9cfaf41f3cc78fd45edcf7c

SHA512
9dad70a32269f0fe08c41fc91b9df85dc9dff6ae1f996d270e64206a40278e81442e7a68b45e44f1b6c143856117703a54bbed593fa38cde45f3d3438cf748cd

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
de0028da4d4da20175ac66c7b233dad8

SHA1
99bea4103bc01b65a5e8aaea163dc13fc922e05a

SHA256
16059f335b1da83a9bfda459a912b111c061734afd7d3dea56696a6202f371d2

SHA512
54af81ebbb2dc904e9570846bdb9a49c766a1ce207f168d58934ed4863403a659249f2e9b8606445dbf5463f4b5018dd31067cb722856733a9ec8e7aaf82ec46

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
85B

MD5
01b7c9357cf73e812f390ab5424772fa

SHA1
16984740ecbb4e5bd916c9c643812103cef620bd

SHA256
350c2316d2177c48947086998dbe955d2818e7a975c1d0678b4e35d13d5d0714

SHA512
bb005fb0f6463f62a6ee7fc5892938821d893ca3b6608b65f22509d6c3e4c601728c3c86f88f4dd48baa8505f9b3d82eb7dace072d978d581c0b5812a6e85f30

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
225B

MD5
f6d629f2a4c0815f005230185bd892fe

SHA1
1572070cf8773883a6fd5f5d1eb51ec724bbf708

SHA256
ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f

SHA512
b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5aa272d34086837578d7afe6db0e9f55

SHA1
600c66483756b735794e0f20f0d522833f4c8e20

SHA256
329bb89df9ecc7aabe00e56c8232a556f345489a74f123b25f26261d15ae48f8

SHA512
7182401f1e6c718ad0543abb3ca8e4e4ddcc9cd479bcdbe805b06902c99d3d967293804214368ee9b1cd22ad6c5f1f97d2cfa75a1568a63ab77aac43d06c3318

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c874ab7991b771d117e109502223d5a

SHA1
5fb854461bfcdc7a7b4123a44a55aba0540d1656

SHA256
94132534d16cea6d22602c302b2288aaf37e8c8b0418f23d6f8b237b52fbad04

SHA512
f7b22b5bf8ebc4a6661133a57f23a2da6a1b0c02da908bdecc18d2e2bd8e499e384d16eca4bff1be8661faa1828c4527f3891071806f0595bd7b50355ab4b3e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
700c2692c51178889caf6944a85d93b4

SHA1
37df5dd2bb923d7bcf5cc6b0942d4657180f4c64

SHA256
d31285a0cce72b4c9bebb54b12ea1327b14318e7a1110b4e7d3461f67045c7e9

SHA512
ca3eca1c48e957f4ac1e19cdad9ffbaf7b8187e9eb6373ddd24d6dda3c4af1f2876f9d826208b87acb50ee2136d53334cf3e81379bc4c6e542f2f095eef0d5a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15b9ce2673c5fd65e91cb8f2cfaa45c6

SHA1
e1c4e30a037c7dc75d5cb3fc2842d87af61adb84

SHA256
039aa2d0c799c4e4c90fcbba5ec1e0e8665a9f5cd402d45154b3fa497ff96c5a

SHA512
f6799536f4c1f0f478ef5bf574d54be790107d2cbafcaebfea86d6150b4d7162354065d1deea1056cfc4da237c1bb60013f62f08c1f0ea3026e9e75dff451fe6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b889427b4163fed6b883f709a56c610

SHA1
eacf6fedfd0086f67624f61bb1731f2e1af5195c

SHA256
86ad01fa273c76e952b1c76b3828815cdd6cf2ef35ddd88e71aa85da19fbe0c1

SHA512
a817f50cbb32d5aba90ca9632b95062c62ba1654fbe70f8aaea1b062f4052e214cb69926547c2a76379a7f4e2797a751c14ea08995ea49baa5c972e8f00e3d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
015ac7f78f37d098f910bf1fa0684470

SHA1
2f01b0b08e2706b29175a10800cfc40bf4fd9cb6

SHA256
0a821d1893675128f9692dd173c1dfd3fd645c10617655b7a01a550ff7369902

SHA512
d69037501b957aca98956c714cdd6dbbd31e27becd67cd447254e64393c2ed28337bbbf78303576eb413fde85aee7a033df483ce79d6307ccd51c1185ca4f0c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93e82b62abc8a4dbec020232f2756931

SHA1
b833e3ec0ed8f210f430c5080298d18f0c80f96c

SHA256
4c9766c8f509168b1a74c7efa6ac0b8b0b078564832a88244ba45a785948b3dd

SHA512
a87d0481f638b94e96a11e62443a3e51ad08cac1725a94db26da7ab23abfd7b3879f24711021c87e7cd7dbe1e4c99d15ed7a5f18f140d205a1d6da3d4d90ed7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f227ef7d1102cb3de1ca32eb2466906a

SHA1
19a9df77e1e0293e21a7916a0932868b5ec4f1dd

SHA256
e7e5919e1eb90ffd5830b67b2813735edbbeb38ce281312ebf5d0ab167e6509b

SHA512
81b0e9222bd75d81046fdb1164c868dff7f2245b970751b5cd8a4631f7277c9077e1ea8e0f8f34086cb7335809484de04c07ca732665cf349d6c03b91322cb07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
592160fa827a52f062dee010fca2bbde

SHA1
37cb500aebe2be2b8dae4714a092234b586062d8

SHA256
1b2b11a6200a6b96ac9e539a0773203059e8da6fcee89b8e7eeb3a56611148fa

SHA512
77fac2e95e7e822ed639bff2cc043124c2d3351139a181d1b970d719b30e63e13f8a6a23d03b98239b5b2ce1372619a1415f271bbe93e26293714f9526bf93ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f50b2f3303d10ec7a0a939bb4690a21b

SHA1
7764c2dddfca369cf30b503d0ce80270db2dce0e

SHA256
de50048de1a38dd454ce31a0f84449d1c4bc3a24e9160c96da2c6450d618b5ab

SHA512
5b357540df1b80879d7e877fd63cd0f61386b47ccfd095f5a158279ad12d829816fdaa90f20aafaa5e4cece2f4be136094833d9d5dc63ace23f2fcff846e1459

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7a05abb0648f0bf35b65e39128be173

SHA1
d2ed569445308721b24bfff99828ab02f91a3afc

SHA256
6b61b7d38c16b1b8cd2db5c1a76db0a8c2b118089950d5d3e43a3108efbd5ed5

SHA512
b4af5ba95d1e2f4e97ac1f00dbc30204b06e636a628361f6dc1dc5db244f2df910a68051459405bc137dabbdeda20885ab9471bc641e3d07f2a2dacd7cb3aca8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
378e85714f626dabf247e6c5ee747ab8

SHA1
313865a8e5378da217db74892bf13d3ea65f398e

SHA256
2f4e68a13d95bb3c38f6d0c74faca40ecb3e17bafc2c6071cda406ac40d0c87c

SHA512
0ee6410b7f6cf3ec83d6798fa9babff58d77ea4233da58cdf8f09c6a5f9203757267e27b98e3a944d3757fa250aaea3ace49aa5625937481b1530e22bfad5f9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
600f07bb3041ecd130cd694c7e7605ca

SHA1
8d7e6c64af49a861b9f6f047b41eaa6a09a8a8c3

SHA256
453c7b10104cd4efc05a13d4a494d7d8077b39d45c79488c9275cbcb1eb92a25

SHA512
28e088d9e740aaa836e81596e7015cdc27d9e3a6b0c82ae2fc8332eebecc2a936deb6710e0840348af12e02f18088f9ec0578fd151e3e9db55a390cc63a01883

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47c03bc12110d2ef16ef3262883af899

SHA1
60d67ca6f3f155f237f4101d9fee9095696807c8

SHA256
348db09d7d331c91be1a97fcb421015b2dd3eb3fddd8deaef9df9fcecf94b145

SHA512
db4e94073dc5df8b5a34c1dcb501034860e368db6fd0ff8ad4b9d72ea2f32768160ad57cd662d0fd771acb660c7b40e6cd178db14508a85edfec4ea3b7055302

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b1217b21de568265ab213298e6c7145

SHA1
a3e7c6d9bed97a2a284738898b11c777072d7789

SHA256
bbd344e6ed88ad2f78e300d78dfd960094d8586cd53d91536d455f9e869b55ae

SHA512
2946cf1bb4e4a0ed7d30333d9fe99a3a2766bac93a8ea4e7fb96585d1685614cdcfa914fcb969744709d199f2b1ed67bc3ea4e9ca1d6a7f12273bd8ebff041f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4effbda93c6ae15319b06ab94b32cc5

SHA1
34fe6676ff863f90571a48278e5317aa296d228a

SHA256
5fecb5bb2fc1b5a2e01cdb075952a8bb779fc411355fc55ff7880b11a9a61d62

SHA512
95087ecdc6563452e898a93d1a05e7ef9d8a700cc5fb7cf42562ead1db9db6ab09aa24869c3ce6e21a5d5386fded953d9dba64b4f34017b5154a1e0f3cc73b34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe5874030cd39bd884e563077e4d9e39

SHA1
2b0ac85fa1d56bbb61ff670d0b7af8bcc1e4b777

SHA256
fa8985e326f20a268484baaa34452a712783f69786eb872960e7bb48165b0d24

SHA512
e36fc0ff26a5b1651147dc20dde2c31c4960b899be3bf3d92591034996aef319dfa3af51566f0755457b9e4237addf1a38c08b1f07a402dc7e05007bca44333d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14237b62cdd81075a1403ed9a3fbd432

SHA1
3510cb21db6ed6e9387b6274e95bd3ba94f189f7

SHA256
cbad1ff5486539379ae869dbe28502aec9988a2cf0666fef2db12c07aea993fb

SHA512
d885ea945d1c4380398d613480ce4f6a01a650f73ec08c2fc25f9d738d4b3ec4036de21eadb0970eafff5bb9bdbcf3d47963a6ee61fa972356139a31cd9e0f3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DC676F71-2354-11EF-A965-CAFA5A0A62FD}.dat

Filesize
5KB

MD5
602fd1d46cc14bc8508c1d27644bb87f

SHA1
b3898102410c821285bbe20ffea242c9c8b62f74

SHA256
e4e2f9c64406aafd3f458bd172c0627108e24d2a890de33b1f98621a690fe6b7

SHA512
90bb4e9791aad244550ca223959bc40fb8a3031753f11058ac3a11fd6488dc41bb1eadce65be63aabf1ac649afe9589486abfa230330d1c7665a008428294c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab18E0.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar19B2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\PkgMgr.lnk

Filesize
1KB

MD5
74f359e280f6a4d2339f2bc7f082c37b

SHA1
dc4b4b95a36384a691a427e5ff1145355f4902f0

SHA256
5a70cfdbca4476166bbe14a1503aff7c3a08cd1d9a84fb9683152fa86c3859b9

SHA512
53617a13b267767ddb16c2d3aa8c1f2b5d5f29baba6cf7b2d6a4f1ab45eb41f75e3fba090a1b871ca0cc18f916287063299715ed58665eecb8ebc199a0173a76

Download Submit
\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\PkgMgr.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
memory/1672-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1672-23-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2868-0-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2868-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2868-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2868-1-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-461-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-968-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-471-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-422-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-425-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-428-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-437-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-431-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-463-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-465-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-468-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-482-0x0000000005FA0000-0x0000000005FA2000-memory.dmp

Filesize
8KB

Download
memory/2940-969-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-440-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-444-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-18-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2940-447-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-453-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-456-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-450-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download