cerber | 27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

Analysis

max time kernel
127s
max time network
128s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Size

186KB
MD5

8ec363843a850f67ebad036bb4d18efd
SHA1

ac856eb04ca1665b10bed5a1757f193ff56aca02
SHA256

27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8
SHA512

800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684
SSDEEP

3072:TFFzdn1bwoWwW8BplOd4G5ts0RTy/L1yib5icNisjx3jUiXy:TFFzvwoWw3BXOdl5Ts1yw0s13jU5

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.zmvirj.top/7AB0-3823-F077-029E-DF98 | | 2. http://cerberhhyed5frqa.qor499.top/7AB0-3823-F077-029E-DF98 | | 3. http://cerberhhyed5frqa.gkfit9.win/7AB0-3823-F077-029E-DF98 | | 4. http://cerberhhyed5frqa.305iot.win/7AB0-3823-F077-029E-DF98 | | 5. http://cerberhhyed5frqa.dkrti5.win/7AB0-3823-F077-029E-DF98 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/7AB0-3823-F077-029E-DF98); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.zmvirj.top/7AB0-3823-F077-029E-DF98 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/7AB0-3823-F077-029E-DF98); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/7AB0-3823-F077-029E-DF98 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.zmvirj.top/7AB0-3823-F077-029E-DF98

http://cerberhhyed5frqa.qor499.top/7AB0-3823-F077-029E-DF98

http://cerberhhyed5frqa.gkfit9.win/7AB0-3823-F077-029E-DF98

http://cerberhhyed5frqa.305iot.win/7AB0-3823-F077-029E-DF98

http://cerberhhyed5frqa.dkrti5.win/7AB0-3823-F077-029E-DF98

http://cerberhhyed5frqa.onion/7AB0-3823-F077-029E-DF98

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.zmvirj.top/7AB0-3823-F077-029E-DF98" target="_blank">http://cerberhhyed5frqa.zmvirj.top/7AB0-3823-F077-029E-DF98</a></li> <li><a href="http://cerberhhyed5frqa.qor499.top/7AB0-3823-F077-029E-DF98" target="_blank">http://cerberhhyed5frqa.qor499.top/7AB0-3823-F077-029E-DF98</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/7AB0-3823-F077-029E-DF98" target="_blank">http://cerberhhyed5frqa.gkfit9.win/7AB0-3823-F077-029E-DF98</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/7AB0-3823-F077-029E-DF98" target="_blank">http://cerberhhyed5frqa.305iot.win/7AB0-3823-F077-029E-DF98</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/7AB0-3823-F077-029E-DF98" target="_blank">http://cerberhhyed5frqa.dkrti5.win/7AB0-3823-F077-029E-DF98</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/7AB0-3823-F077-029E-DF98" target="_blank">http://cerberhhyed5frqa.zmvirj.top/7AB0-3823-F077-029E-DF98</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.zmvirj.top/7AB0-3823-F077-029E-DF98" target="_blank">http://cerberhhyed5frqa.zmvirj.top/7AB0-3823-F077-029E-DF98</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/7AB0-3823-F077-029E-DF98" target="_blank">http://cerberhhyed5frqa.zmvirj.top/7AB0-3823-F077-029E-DF98</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/7AB0-3823-F077-029E-DF98 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16389) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\SearchIndexer.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\SearchIndexer.exe\""	SearchIndexer.exe

Deletes itself 1 IoCs

pid	Process
2100	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\SearchIndexer.lnk	SearchIndexer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\SearchIndexer.lnk	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe

Executes dropped EXE 3 IoCs

pid	Process
1752	SearchIndexer.exe
1640	SearchIndexer.exe
2912	SearchIndexer.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
1752	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchIndexer = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\SearchIndexer.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\SearchIndexer = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\SearchIndexer.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchIndexer = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\SearchIndexer.exe\""	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\SearchIndexer = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\SearchIndexer.exe\""	SearchIndexer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchIndexer.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpCEC.bmp"	SearchIndexer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
3020	taskkill.exe
2708	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\SearchIndexer.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\SearchIndexer.exe\""	SearchIndexer.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000004a3a7dcbeaff256a52d67c139af197af083bbdf3a15defa69d39ffa12e640f0e000000000e8000000002000020000000e2b097515ba5b9e0bcfd85a3361d21e1aa2bb03552333e7efc9a15e6d3910f3920000000a4cc2357dd245180568f03126d7da1c918d39ef8fd4cdd7aaf2d43795660b32540000000029d1f9c753a39ed84602f37e3597ebfa576ba4f6fd741f9804598a67d54f98c22a92eeda28f8d7c6ef8ea5cb373b57fe5648b0ec5597b9bc6a16727b5e6fed4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000b6b35305c4f4559f59f7bfa99ed7e7d56009670d241d98e87036ed4b3093f9e1000000000e8000000002000020000000f8abf26048d8a87db31fbc78e71b344426e02aebbc3962aeecee1bfbdf44e42090000000e30f8f8eee940fa0f85e0b55ff1bef917858fdd83d013a31a81680407b38c9bf13e8054a919f53facab79aab0976ee37e2024e033a04c17adcf4215be8fd7212bb7fab0d1de955ab481463441be43d12e4eaf33685f6f5a361cf1ba829441e1e1f302faa6a90a6dcea78e64e1079b9e8e992e9d5a075a2684418438355cd028e0587c1bb031c1c1f037fd96767b85e6d4000000099475757e948e82a083ee7ea00898f0603e8ab23aa025b768270d3b40df8b65db6a04fe99cdf6144a67f06337e7c8abb7ecd5d654c5945cef9ba3dd3eec00fdf	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423768774"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4AD459C1-235D-11EF-BE4D-CE57F181EBEB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4AE040A1-235D-11EF-BE4D-CE57F181EBEB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 908ea30d6ab7da01	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2748	PING.EXE
2824	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe
1752	SearchIndexer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Token: SeDebugPrivilege	1752	SearchIndexer.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	1640	SearchIndexer.exe
Token: SeDebugPrivilege	2912	SearchIndexer.exe
Token: SeDebugPrivilege	3020	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2212	iexplore.exe
2380	iexplore.exe
2212	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2212	iexplore.exe
2212	iexplore.exe
2380	iexplore.exe
2380	iexplore.exe
3028	IEXPLORE.EXE
3028	IEXPLORE.EXE
2212	iexplore.exe
2212	iexplore.exe
1360	IEXPLORE.EXE
1360	IEXPLORE.EXE
1540	IEXPLORE.EXE
1540	IEXPLORE.EXE
1360	IEXPLORE.EXE
1360	IEXPLORE.EXE

Suspicious use of UnmapMainImage 4 IoCs

pid	Process
2036	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
1752	SearchIndexer.exe
1640	SearchIndexer.exe
2912	SearchIndexer.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1752	2036	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2036 wrote to memory of 1752	2036	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2036 wrote to memory of 1752	2036	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2036 wrote to memory of 1752	2036	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2036 wrote to memory of 2100	2036	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2036 wrote to memory of 2100	2036	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2036 wrote to memory of 2100	2036	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2036 wrote to memory of 2100	2036	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2100 wrote to memory of 2708	2100	cmd.exe	31
PID 2100 wrote to memory of 2708	2100	cmd.exe	31
PID 2100 wrote to memory of 2708	2100	cmd.exe	31
PID 2100 wrote to memory of 2708	2100	cmd.exe	31
PID 2100 wrote to memory of 2748	2100	cmd.exe	33
PID 2100 wrote to memory of 2748	2100	cmd.exe	33
PID 2100 wrote to memory of 2748	2100	cmd.exe	33
PID 2100 wrote to memory of 2748	2100	cmd.exe	33
PID 3040 wrote to memory of 1640	3040	taskeng.exe	36
PID 3040 wrote to memory of 1640	3040	taskeng.exe	36
PID 3040 wrote to memory of 1640	3040	taskeng.exe	36
PID 3040 wrote to memory of 1640	3040	taskeng.exe	36
PID 1752 wrote to memory of 2212	1752	SearchIndexer.exe	39
PID 1752 wrote to memory of 2212	1752	SearchIndexer.exe	39
PID 1752 wrote to memory of 2212	1752	SearchIndexer.exe	39
PID 1752 wrote to memory of 2212	1752	SearchIndexer.exe	39
PID 1752 wrote to memory of 3052	1752	SearchIndexer.exe	40
PID 1752 wrote to memory of 3052	1752	SearchIndexer.exe	40
PID 1752 wrote to memory of 3052	1752	SearchIndexer.exe	40
PID 1752 wrote to memory of 3052	1752	SearchIndexer.exe	40
PID 2212 wrote to memory of 3028	2212	iexplore.exe	42
PID 2212 wrote to memory of 3028	2212	iexplore.exe	42
PID 2212 wrote to memory of 3028	2212	iexplore.exe	42
PID 2212 wrote to memory of 3028	2212	iexplore.exe	42
PID 2380 wrote to memory of 1540	2380	iexplore.exe	43
PID 2380 wrote to memory of 1540	2380	iexplore.exe	43
PID 2380 wrote to memory of 1540	2380	iexplore.exe	43
PID 2380 wrote to memory of 1540	2380	iexplore.exe	43
PID 2212 wrote to memory of 1360	2212	iexplore.exe	44
PID 2212 wrote to memory of 1360	2212	iexplore.exe	44
PID 2212 wrote to memory of 1360	2212	iexplore.exe	44
PID 2212 wrote to memory of 1360	2212	iexplore.exe	44
PID 1752 wrote to memory of 1512	1752	SearchIndexer.exe	45
PID 1752 wrote to memory of 1512	1752	SearchIndexer.exe	45
PID 1752 wrote to memory of 1512	1752	SearchIndexer.exe	45
PID 1752 wrote to memory of 1512	1752	SearchIndexer.exe	45
PID 3040 wrote to memory of 2912	3040	taskeng.exe	48
PID 3040 wrote to memory of 2912	3040	taskeng.exe	48
PID 3040 wrote to memory of 2912	3040	taskeng.exe	48
PID 3040 wrote to memory of 2912	3040	taskeng.exe	48
PID 1752 wrote to memory of 2564	1752	SearchIndexer.exe	49
PID 1752 wrote to memory of 2564	1752	SearchIndexer.exe	49
PID 1752 wrote to memory of 2564	1752	SearchIndexer.exe	49
PID 1752 wrote to memory of 2564	1752	SearchIndexer.exe	49
PID 2564 wrote to memory of 3020	2564	cmd.exe	51
PID 2564 wrote to memory of 3020	2564	cmd.exe	51
PID 2564 wrote to memory of 3020	2564	cmd.exe	51
PID 2564 wrote to memory of 2824	2564	cmd.exe	52
PID 2564 wrote to memory of 2824	2564	cmd.exe	52
PID 2564 wrote to memory of 2824	2564	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\SearchIndexer.exe
  "C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\SearchIndexer.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3028
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:472065 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1360
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:3052
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:1512
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "SearchIndexer.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\SearchIndexer.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "SearchIndexer.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3020
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2824
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2748

C:\Windows\system32\taskeng.exe
taskeng.exe {CCB329C6-7297-4889-9E5E-C5B8681ABCAB} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\SearchIndexer.exe
  C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\SearchIndexer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:1640
- C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\SearchIndexer.exe
  C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\SearchIndexer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:2912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2380 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1540

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
51d3847d42cba4d8f69d35af3160722e

SHA1
d1807457ccac0f7a6f39fdf0f3ca127bf60e104c

SHA256
281d91310cef892dcd73cea3a2c580c5e7dad1d988d4c1ae5c856b57ad9cce71

SHA512
52a7f97da63f032ca7ce90301eadf0250365fedf3edfb473e009d8da0503afa698c10e5d358f7eacff5a99c7cf0a68dc1cb978bf41e2f5cf0c2732aea81fb6be

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
60e9cc82172d82e79104a6b5e3f70e23

SHA1
64c632c86d0fec303d967a8034616d321e3d7e8d

SHA256
6c6647462aca227e2c7d08ad2975ecba5027a0892eda9a71147f94cdd644337a

SHA512
17eae779e5577ed99f791c3d76a4bca43dd596b16edfab7df79c18770e1d3f60e13ed7e6515e5267e7c75a9bc49e6017900f1ea310c3f034875c81e93b2cb680

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
85B

MD5
341ba6eec10379d6ed696dfffc9a1c31

SHA1
24d12b698d5d31b372cb36862d356dc8bed86678

SHA256
8a0ffcd87fd1504de8f056ca68018caf2dd904762dc628d800308038d4dcccbc

SHA512
2a9dd43e1ca7b83001fab6f057dcf15bed46837adb5a8113e5e83fd3e1d23c16c005ec308ec3a9f63e2cf5a5561b1ecab292b5802ad9cf233b764fc620cd7824

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
225B

MD5
f6d629f2a4c0815f005230185bd892fe

SHA1
1572070cf8773883a6fd5f5d1eb51ec724bbf708

SHA256
ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f

SHA512
b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8da72aa806e00aba8f9ab6733418bbb

SHA1
ebdfbd608a5084538ff6ca1e6d7d27d9e164d5a1

SHA256
b141438559b1231246e28d086b152ad0c306e9ee3e4657d9955946abb1896756

SHA512
95f10c746fb047f01ef3505869a5af865b90d541bd95183d5bdcfba5309ebe03bf8554d35f602a7b88e9d0e227d733645af95cc1a80beb269827575c26526cbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f3142054b28924865dad8b24d6d98aa

SHA1
62763dd3484fbd2241e1dd803478154dca19b1d2

SHA256
aca8e192509e9115b5f548a5dc2159f6428b236f6e39515e6b6b83a58b35efa7

SHA512
8cb71b3b7ed3d4f2a3bb9595a18aec3ed50f779834b5241490a0e3162f91cc95b51004b969b14afa3e63c85843d65568c37ed0275e37d6dd0782d2408cf85368

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b77a82eedbe32bd5a25dcd255378f8be

SHA1
94deebe3b7bf69f80bb63662aa58cddf85b25c63

SHA256
a0abdf89cbbd8939ff74f6bcb93190f741ad66be4e7c2ee9eb26046350a6467f

SHA512
e3b9af3bd67ded465f8348ff9523116138bfc654375098bc39b2407ba550bd90ef4240879f4385485c00bfe1d315a510380b7b135b226c6d62fdec2931f55742

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0d4f5f0fdd20ec5e8591e8e67733ae3

SHA1
364655e8d9f4f5123f454f308cb1c6e05f4243ad

SHA256
a52151fd5bda84aee5032c5051bbd846ad755f865468e43a28f069beff41fd3f

SHA512
ecfd3e7c25bafffc1a230e000df8ef3e93665d1fab65a2ec3f762d87499530563b0cc7f133932b6ea02c10a2955c9bb9cdc13bf2e2ec028dc68dea4395c8fc54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a0334d69936d2a643d2277d3048351c

SHA1
980e215dc293dfd1dcb1da9626dbdd9a4619a886

SHA256
2fb4d6c78b4cbe808375e6f2ca3caa91e58d190a9de8a58d7d4e9fc6f55f8318

SHA512
04c8c2b9123fe7e5f0f4dafd1c940d5e6708c259f910ff3e81dea15b945d58e74b81a5db5db2a691cd87b1d1c6fdefee495c90ba4931c2d08537c988dcda909d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d4f074241c0ea4d82367680339c1847

SHA1
0cf584a0533d5708eb442a8a3bd939923c180f2f

SHA256
335c23b8ca16fbd17d45f20bbfb9bf14025fd8bdc81530d6550e00436f41eac3

SHA512
68281db83a93594f3179b81ebcd95ac97ae7eeacdcb154d7048a16df9671c35eb5e67ccf8e1c4912153dff1e7eec3b0eea93ecc03843e2787b6b3ac025eb7efc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f38cff7dbabb70dcbde05842500de5fb

SHA1
4fa6a8b4028b0cce38e967bfb35c0302d44324b7

SHA256
77949f67a9a55de3b1cad06bb383b548950c1a530e4f49441c6ef905f3499209

SHA512
9d5bcbfc718c4205a4f9123014bfc693741564f8a2a1cbd0a643f1c1101b1b8b30f92eb474172c338bb0a2ab4791088654ff22753ad7c08524674b87b5f4fd4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a6f515d9a94ebce1f080ca546384882

SHA1
aca41ff742aee89ed8fde27968185c9aed07804e

SHA256
396f5e97bf48e157cb5b43c602d53a88b42d63897542c10707c41a89236700e5

SHA512
9efaa0b5f6245588fcb996fc7fb4b3dd9444fc738b51fc11b508eecc74b83484be1f42cbd7855cc4abbaee198e19f152e44e0d8e81c5738a6bb4c729a081fa40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8906f9131ef004b2622c5bdd928250d

SHA1
4bb30edb253f143717a99435a27560d99300725d

SHA256
91be3f15e586006e9b9901cbd81f68c6814406acdfec8fb63524f5db0b6e1cc9

SHA512
feacbd12d7b3fb3b1f199797c8151ed156a15f020e4336bc26311a3d310ec76b8dcae3995c20f86e28c5ad4858ad92e5a7f5248f298115ed8c9ceec3d520d0af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c97155e3044061f5390f740dffa4327d

SHA1
c06dc039e7e37d2bb99283c5cd99b9b734913ba5

SHA256
d1bc149126f87b21d3b6c227461dd770d7e681d3d138918a13c4418b869d5c18

SHA512
4dd93e4b42ea115fb02c455967fb9fa3e5497488ad30138560c626a55a28af33a5872ea7f4f8c7711883f309635529fa8c4327712ad450d222ad85575cdf0d6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
978777e9fd8fe29c1cff3f1411c897f7

SHA1
d369ebd5e8250797442334f9c88169bc92c53701

SHA256
29b536a9843867160874d84e13b8120d71e1618243e9bbf896733cd45b938267

SHA512
677a5eb94ddc42e25be2084857f2e832e4b01f7d8d858d03ce8bd877435f933979555be8353e14c2f32a73582d1f33f27c244521fcddd471da5bb2d4255c380a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91ca71b451f61498ab8a00c1e1ba0807

SHA1
09793e57816209520ae2a1491e2449a6e494be16

SHA256
cf9e83116d8a8e1ec57921e9f4cd8e99766a18e5280a940ac6e3e7374badb161

SHA512
1effd9e6295f4d3a7ba610fc6e5ebecb070c51017c65eb740ecc338a0a41cd3f545e5080fc8fd8136a50ef4d9aac8e43a14ae25a4981c11cba5872d353547554

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da46fff2992d3d288f1adac58afbb7c3

SHA1
ccb528402b94bb876fd8bfeb6f137fc46453b636

SHA256
b4f1d306d15a92e2326062c96fe26585ab982d851f395522b43bb90c138685db

SHA512
08d7c5d7252a117f5c02f2a112e4f92106146e90cea389e6512df13cc93f4879a984253bcb50b27f301f6cf872d9a5ba7661f622fc97209edf85f98d02fa2e46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1e80f15138053b594781d64e10ff29d

SHA1
338253136559d60c5f9fc9ee5a1a22011be4ffe9

SHA256
351eb3004f8ad70e5b0830faf7a3adff87331ef05ea5c93206d5e9d16afb5278

SHA512
e42f5eb0f727e0b688ac59b006a27fd716938bd44c28bdbd38b818c7cee9ec7e8b8ed947bb89258982d01961923d5af05da9c44c7b25e076c6f9c2f3bd53871b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7203982859112fb61ce23b0e5b505628

SHA1
0cbb50e488076edba4f2877a1fc5e4aaa4ee775a

SHA256
b0f12f1060fa03bfed2f25c023455ae1c54d2c41ce30ba444e861e46d27ba699

SHA512
59d96fd7411b5331e68227d9f2b2584f23d7924b5ad848ac71017eee2b86f257b6372dbf1e1b471c56663faed849d234a8cdf1d193fa848e9356c18f4f4a57e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4c4633c84b057fd0295a8114eec1e9b

SHA1
e5aab8d6953e6ed08d15055d06a4f9c42a1e2a19

SHA256
8b47ee4eee6699cd9ca3052ea438eeaed8e1538392aa5497a371038d74788627

SHA512
0ceab2c07567c0263e7e6e4befa733519919311c06460b0abcb89f4c4463d1daa896566d6651dd625e9df3b0031dd3e518e466558ecc023867478e8fd9bdd69e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33e51203591146fb8d58c26bdc5181de

SHA1
1f97ca53fd45e488988503e3ed15492d673a1957

SHA256
fb74c92d60071cc8b4eaa718e3b25073286085383ac37fcedcfa1a4a67509051

SHA512
107235f01b2ab64f2c4a6e4aac22376b8fb4a984138a2c36db8b3dbde790a25e57c11da796c5b886e4514974d2f339448cd83a3d2e98e5e6ad6b59ae4d4c3855

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fb9d3fe62434f8265c4796fd4c2473f

SHA1
21a98c53a08125da879045f1fba9aae31b87f171

SHA256
df92bb78134da446daad07d85978f4dedecf792e4df10db7c67a064aa49b522f

SHA512
96dc876938ee0fafc4a63d0be70566bc2ce338a3d79ba4189187dbe02ca2ccd27c72f14d4a3922a06239e251c54c5777920e8fedb88e1fe4c3a760298118f3b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71cf161e3f505936ba59c2980df6f331

SHA1
5f5c29ae0e3ad74061a0cbb24bb936df365c8ed3

SHA256
069a623a63d9df00b43eca4acdd4cbf6a1a96f63cb0b83ad10f0f62bd0773b03

SHA512
fd27d991af78bba8bc969170162bb36d63073760e3fd248017a4800b39992829cf599fa7baf0fb17d6d0548733b8c371709f9cd8c96b23d76cf1f6d60508c519

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4AD459C1-235D-11EF-BE4D-CE57F181EBEB}.dat

Filesize
5KB

MD5
11eddd991e7f42d04fb2a3ff4e52c63f

SHA1
2468a6dad129d3e8d7402ad52beae6b8766fdec9

SHA256
133db3728306c36654aacc3f63d6e737476e6135fb630a26d59dec8cae61f7c9

SHA512
9aec7a64f7cdf3cc3769d43d4ef750381bdc67bc910837a17632b3d809c582c7d34c351d62e097757a43b29bb538e94613bc536712e6d9ab287442ac745b54a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4AE040A1-235D-11EF-BE4D-CE57F181EBEB}.dat

Filesize
3KB

MD5
0c518692d3a5c82ff1e740cf99362826

SHA1
b86605851313dccd937e08edced1e81754a02f87

SHA256
f329f45b1ce6e2bec2c1cad64d46e1cb39c9475ccfeb20ddd0e02b1348b61c78

SHA512
1363e0c1604e5eff5b4ece51f58f6a3fc134c4b3905894a48d77be98a06b8fafe2bb76bfd853c6466bf7fccb27a17359990e1d64fbe5e588511340542c9db8b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab23C7.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar242E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\SearchIndexer.lnk

Filesize
1KB

MD5
e778e8b68f07f114de77ecf50d335093

SHA1
0adc80c514e99aae26db3e087a9b26ce1ba3fbed

SHA256
8d9f3fc9a29cc43f1e8c741b39b653e208ea82ad4bc3a7491041a2fe4cb31c3a

SHA512
44f66e40c859221bc3ef3605c8ce88fbaf6225fd90250eea870c32e235bc5b5f9f73f65430882915e2991c2ecc5dd4b9be3ebdeb9df688865d7ef31e8e718846

Download Submit
\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\SearchIndexer.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
memory/1640-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1640-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-407-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-380-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-383-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-437-0x00000000060C0000-0x00000000060C2000-memory.dmp

Filesize
8KB

Download
memory/1752-391-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-386-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-393-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-404-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-24-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-395-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-398-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-413-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-401-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-425-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-422-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-927-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-929-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-410-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-419-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-416-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-18-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/2036-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2036-0-0x00000000001E0000-0x0000000000201000-memory.dmp

Filesize
132KB

Download
memory/2036-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2036-1-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-925-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-924-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download