cerber | 27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

Analysis

max time kernel
129s
max time network
130s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Size

186KB
MD5

8ec363843a850f67ebad036bb4d18efd
SHA1

ac856eb04ca1665b10bed5a1757f193ff56aca02
SHA256

27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8
SHA512

800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684
SSDEEP

3072:TFFzdn1bwoWwW8BplOd4G5ts0RTy/L1yib5icNisjx3jUiXy:TFFzvwoWw3BXOdl5Ts1yw0s13jU5

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.zmvirj.top/97B6-A7B0-FA94-029E-D3C4 | | 2. http://cerberhhyed5frqa.qor499.top/97B6-A7B0-FA94-029E-D3C4 | | 3. http://cerberhhyed5frqa.gkfit9.win/97B6-A7B0-FA94-029E-D3C4 | | 4. http://cerberhhyed5frqa.305iot.win/97B6-A7B0-FA94-029E-D3C4 | | 5. http://cerberhhyed5frqa.dkrti5.win/97B6-A7B0-FA94-029E-D3C4 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/97B6-A7B0-FA94-029E-D3C4); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.zmvirj.top/97B6-A7B0-FA94-029E-D3C4 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/97B6-A7B0-FA94-029E-D3C4); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/97B6-A7B0-FA94-029E-D3C4 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.zmvirj.top/97B6-A7B0-FA94-029E-D3C4

http://cerberhhyed5frqa.qor499.top/97B6-A7B0-FA94-029E-D3C4

http://cerberhhyed5frqa.gkfit9.win/97B6-A7B0-FA94-029E-D3C4

http://cerberhhyed5frqa.305iot.win/97B6-A7B0-FA94-029E-D3C4

http://cerberhhyed5frqa.dkrti5.win/97B6-A7B0-FA94-029E-D3C4

http://cerberhhyed5frqa.onion/97B6-A7B0-FA94-029E-D3C4

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.zmvirj.top/97B6-A7B0-FA94-029E-D3C4" target="_blank">http://cerberhhyed5frqa.zmvirj.top/97B6-A7B0-FA94-029E-D3C4</a></li> <li><a href="http://cerberhhyed5frqa.qor499.top/97B6-A7B0-FA94-029E-D3C4" target="_blank">http://cerberhhyed5frqa.qor499.top/97B6-A7B0-FA94-029E-D3C4</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/97B6-A7B0-FA94-029E-D3C4" target="_blank">http://cerberhhyed5frqa.gkfit9.win/97B6-A7B0-FA94-029E-D3C4</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/97B6-A7B0-FA94-029E-D3C4" target="_blank">http://cerberhhyed5frqa.305iot.win/97B6-A7B0-FA94-029E-D3C4</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/97B6-A7B0-FA94-029E-D3C4" target="_blank">http://cerberhhyed5frqa.dkrti5.win/97B6-A7B0-FA94-029E-D3C4</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/97B6-A7B0-FA94-029E-D3C4" target="_blank">http://cerberhhyed5frqa.zmvirj.top/97B6-A7B0-FA94-029E-D3C4</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.zmvirj.top/97B6-A7B0-FA94-029E-D3C4" target="_blank">http://cerberhhyed5frqa.zmvirj.top/97B6-A7B0-FA94-029E-D3C4</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/97B6-A7B0-FA94-029E-D3C4" target="_blank">http://cerberhhyed5frqa.zmvirj.top/97B6-A7B0-FA94-029E-D3C4</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/97B6-A7B0-FA94-029E-D3C4 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16390) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\RMActivate_isv.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\RMActivate_isv.exe\""	RMActivate_isv.exe

Deletes itself 1 IoCs

pid	Process
2568	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\RMActivate_isv.lnk	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\RMActivate_isv.lnk	RMActivate_isv.exe

Executes dropped EXE 3 IoCs

pid	Process
2620	RMActivate_isv.exe
2688	RMActivate_isv.exe
1164	RMActivate_isv.exe

Loads dropped DLL 2 IoCs

pid	Process
2196	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
2620	RMActivate_isv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\RMActivate_isv = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\RMActivate_isv.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RMActivate_isv = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\RMActivate_isv.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\RMActivate_isv = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\RMActivate_isv.exe\""	RMActivate_isv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RMActivate_isv = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\RMActivate_isv.exe\""	RMActivate_isv.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RMActivate_isv.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpB47.bmp"	RMActivate_isv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2592	taskkill.exe
2436	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\RMActivate_isv.exe\""	RMActivate_isv.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\RMActivate_isv.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop	RMActivate_isv.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c833d00caa8095409ad8b50ecb7243f600000000020000000000106600000001000020000000bb0419108ec9ddd1a3fb4ab6487eefed771fd337abb8f216f8d33a43b1fcafaa000000000e800000000200002000000023435ec93731879c63961c954a9c95e3d9b53f69940fd009abe40bee8dd2c2649000000044dc9ece36dacdc2498418813da6984339d36e780b1da0369d300c4abf47232647d919511fbb2facc39b7f1878d27cf19a9a755f28776047c5ac449dfbfc8f96ecf2121a91e6c6a000d169fb6c6f7a4c32a10e57c2e55cb43673ab4a2bd3ed96bd2882c108b43b59b11117632bfe0794c19f70a81af6dbab2a7732b7ce5d4a7f49550314ed171cfb2fb0bb99764271da40000000a79effc821a3be0cab4eecb9fca8b92570cf08bbfedc5ff533c6a1c9d2747b93ff29423e4fc78147e6f59dadc1f32b51cea5b5164f62f0b73feda2b82d13cf74	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B6E4A841-235D-11EF-B5E8-DE62917EBCA6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c833d00caa8095409ad8b50ecb7243f6000000000200000000001066000000010000200000005773cecdc142b04f89aa7384469ad637155d35bbca5dec62c219382d72721940000000000e800000000200002000000087c267230c7039cea8f0f6027876f23c18703a1490c2b1f893b5763d6b8d082c2000000074bf2ebe21b4a7a3416345ee696779110b5bc6b71b6dfaabffaf2efb533947e240000000ecb0f6158c49ebdc5d5b9f145a4746fccf5296ce91e9b4389ea1f639d4ab49c46e1b104b5c7f89f9c384ec1485524e59119c7df582b224f4768f401226c160df	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B6D66001-235D-11EF-B5E8-DE62917EBCA6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a04f9d796ab7da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423768955"	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2740	PING.EXE
1516	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe
2620	RMActivate_isv.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Token: SeDebugPrivilege	2620	RMActivate_isv.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: SeDebugPrivilege	2688	RMActivate_isv.exe
Token: SeDebugPrivilege	1164	RMActivate_isv.exe
Token: SeDebugPrivilege	2436	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2840	iexplore.exe
840	iexplore.exe
2840	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2840	iexplore.exe
2840	iexplore.exe
840	iexplore.exe
840	iexplore.exe
2268	IEXPLORE.EXE
2268	IEXPLORE.EXE
2840	iexplore.exe
2840	iexplore.exe
1068	IEXPLORE.EXE
1068	IEXPLORE.EXE
2108	IEXPLORE.EXE
2108	IEXPLORE.EXE
1068	IEXPLORE.EXE
1068	IEXPLORE.EXE

Suspicious use of UnmapMainImage 4 IoCs

pid	Process
2196	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
2620	RMActivate_isv.exe
2688	RMActivate_isv.exe
1164	RMActivate_isv.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2620	2196	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2196 wrote to memory of 2620	2196	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2196 wrote to memory of 2620	2196	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2196 wrote to memory of 2620	2196	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2196 wrote to memory of 2568	2196	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2196 wrote to memory of 2568	2196	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2196 wrote to memory of 2568	2196	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2196 wrote to memory of 2568	2196	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2568 wrote to memory of 2592	2568	cmd.exe	31
PID 2568 wrote to memory of 2592	2568	cmd.exe	31
PID 2568 wrote to memory of 2592	2568	cmd.exe	31
PID 2568 wrote to memory of 2592	2568	cmd.exe	31
PID 2568 wrote to memory of 2740	2568	cmd.exe	33
PID 2568 wrote to memory of 2740	2568	cmd.exe	33
PID 2568 wrote to memory of 2740	2568	cmd.exe	33
PID 2568 wrote to memory of 2740	2568	cmd.exe	33
PID 2676 wrote to memory of 2688	2676	taskeng.exe	36
PID 2676 wrote to memory of 2688	2676	taskeng.exe	36
PID 2676 wrote to memory of 2688	2676	taskeng.exe	36
PID 2676 wrote to memory of 2688	2676	taskeng.exe	36
PID 2620 wrote to memory of 2840	2620	RMActivate_isv.exe	39
PID 2620 wrote to memory of 2840	2620	RMActivate_isv.exe	39
PID 2620 wrote to memory of 2840	2620	RMActivate_isv.exe	39
PID 2620 wrote to memory of 2840	2620	RMActivate_isv.exe	39
PID 2620 wrote to memory of 1528	2620	RMActivate_isv.exe	40
PID 2620 wrote to memory of 1528	2620	RMActivate_isv.exe	40
PID 2620 wrote to memory of 1528	2620	RMActivate_isv.exe	40
PID 2620 wrote to memory of 1528	2620	RMActivate_isv.exe	40
PID 2840 wrote to memory of 2268	2840	iexplore.exe	42
PID 2840 wrote to memory of 2268	2840	iexplore.exe	42
PID 2840 wrote to memory of 2268	2840	iexplore.exe	42
PID 2840 wrote to memory of 2268	2840	iexplore.exe	42
PID 840 wrote to memory of 2108	840	iexplore.exe	43
PID 840 wrote to memory of 2108	840	iexplore.exe	43
PID 840 wrote to memory of 2108	840	iexplore.exe	43
PID 840 wrote to memory of 2108	840	iexplore.exe	43
PID 2840 wrote to memory of 1068	2840	iexplore.exe	44
PID 2840 wrote to memory of 1068	2840	iexplore.exe	44
PID 2840 wrote to memory of 1068	2840	iexplore.exe	44
PID 2840 wrote to memory of 1068	2840	iexplore.exe	44
PID 2620 wrote to memory of 2644	2620	RMActivate_isv.exe	45
PID 2620 wrote to memory of 2644	2620	RMActivate_isv.exe	45
PID 2620 wrote to memory of 2644	2620	RMActivate_isv.exe	45
PID 2620 wrote to memory of 2644	2620	RMActivate_isv.exe	45
PID 2676 wrote to memory of 1164	2676	taskeng.exe	48
PID 2676 wrote to memory of 1164	2676	taskeng.exe	48
PID 2676 wrote to memory of 1164	2676	taskeng.exe	48
PID 2676 wrote to memory of 1164	2676	taskeng.exe	48
PID 2620 wrote to memory of 2656	2620	RMActivate_isv.exe	49
PID 2620 wrote to memory of 2656	2620	RMActivate_isv.exe	49
PID 2620 wrote to memory of 2656	2620	RMActivate_isv.exe	49
PID 2620 wrote to memory of 2656	2620	RMActivate_isv.exe	49
PID 2656 wrote to memory of 2436	2656	cmd.exe	51
PID 2656 wrote to memory of 2436	2656	cmd.exe	51
PID 2656 wrote to memory of 2436	2656	cmd.exe	51
PID 2656 wrote to memory of 1516	2656	cmd.exe	53
PID 2656 wrote to memory of 1516	2656	cmd.exe	53
PID 2656 wrote to memory of 1516	2656	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\RMActivate_isv.exe
  "C:\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\RMActivate_isv.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2840 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2268
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2840 CREDAT:406530 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1068
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:1528
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:2644
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "RMActivate_isv.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\RMActivate_isv.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "RMActivate_isv.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2436
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1516
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2740

C:\Windows\system32\taskeng.exe
taskeng.exe {3BD9B5B2-D606-4DB0-8A0F-4EA8C9406861} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\RMActivate_isv.exe
  C:\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\RMActivate_isv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:2688
- C:\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\RMActivate_isv.exe
  C:\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\RMActivate_isv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:1164

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:840 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2108

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
89272bb583df201b132284be53506fa9

SHA1
823ecc3458132fb981db8bf2712c6ce9ff618fad

SHA256
b3b25e5754043bf1e8c757ba8ded4e1eafd060ca6d9a59db1238fd0745c8d934

SHA512
6670951a3c3ce166cdbf259d6a5ca75a6bfca1d87285549da4b4f8d045ad89ed7e912fcdda323eb824fe16702ffa10b2d4fd03e2c934294944115c36d72b2a32

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
645d6b350e9bcb643cda96b86effedf2

SHA1
cc82f30ba336f1d47e02ae9003ad7f59feb695f1

SHA256
1b90ef35ebbf4a0fd5495da975fe0c564b7e355e17853d951b43ef28efbacd87

SHA512
e62422baa37b6f58c76bf3f84a20f117fb34abcab0a6fddcee3054ddf499183294b6627c29efdf78e5462e2d327894c93cde83c8693953b7d6f0b38c0e531248

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
85B

MD5
bf7da1aa8466264bca07031edc171e01

SHA1
15f39e9f701f285c5e6033e8e78d06ffa4a76071

SHA256
c9d6b9612db2be306e18cb4a4c3f0da47417403a2593c33f8d27ea27d5d1288c

SHA512
26c027705814e3e4a9bb8040f4fb599a10d18204f134f269a6e18f838e107545e84b63870e401d7ede34da4c200b5094ac4fa509e0110cb9ee567635ede1b613

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
225B

MD5
f6d629f2a4c0815f005230185bd892fe

SHA1
1572070cf8773883a6fd5f5d1eb51ec724bbf708

SHA256
ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f

SHA512
b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e189816dc90a76c5720af67366fdceb

SHA1
079e740397be202f8952cde60bfb6f0b774b41cd

SHA256
3d089718ffd5079258971520a10e4acadedb606bd7aef3f54e1d4fcaed143ef3

SHA512
5e3ba9ff6ccf4148b17a1500d4d7e5c8503cb9fac07a0ffeb963ea6682dbda4bbf9a898f4c806397d60b536bb7f755c97459b8971f7e9ae9c1e5d28620c060bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93b40221dd1600deb20a215b5a04c650

SHA1
5f58cb37bf9daae354ff65c6a9d9aa5556af2340

SHA256
7c61758c28bdacdc68740ac91cb4c92971aa582e747baa6fa37d8be1c55eeb11

SHA512
787d5adf0b93fd03976bdafe85d6cf31c6b64b6e16db8987ec7993f1ed778baf7356755761b12de8c2982c4e0153114ce20a9b0c532d972e65e565269359254e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95ebf1afc4dc06576d36a2e6888ae4d6

SHA1
cac72b9998488471b543abfaa400cf740afa754e

SHA256
1b1d2da841890ad065e2267d5a0a161572e941addedf6ac90b5e10ac748b2e9a

SHA512
b644be7335ee0708e26274001355a8b34cd202c04c896ba84342bff87b8ef9d8ee0079f5b55d7444e12982bbc1e4f51b9730db4d37539c34d995abfa03578570

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce8882c772cb2f12ab825120c13bc471

SHA1
ded2e509253a299baf380567126e1eb32fe62f25

SHA256
a4fbc458c12ce0b113c3cc8fe6c8fa9c5d722eecc3952f4a2147f30667587d81

SHA512
ffc6b38426fd2e487899cd621e105ba3184fc163d70ea29f0225e16d68e45b52846226dc0312a3fea7addd96499251eeeda40aa4a005b035a99ccb5196017026

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c769851f8ac7396abb90a6b8e910476b

SHA1
1885c9776cf2768be63a621070e9dabc9205be00

SHA256
5e4199989892360397fe04d9b63c1d59d3d9d0487c1ae65e96d8f6765e792e9c

SHA512
5b24dcbdbd8aff5f9fb2602dc876397282a510ef8f5fd7dff70d12fc87006e09d79847d0f5750d8d2eb041da5825cc7b540af54586cf693416ecbe451352d5e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ca55bcc5fde64784a80d89256288d59

SHA1
87b35c914b20f069e14296b845a817b9f50436f1

SHA256
adf372b5a5069fb4a51fa6a356250f788c3d827f0ec6d44880921bc11576c4fe

SHA512
a35289927b1f9677ac1227e0b5938e22cc38ec23b78919f72a83457b41e1360640bc0f6fcbed9f000a300cbdd748a566d8cddbb7f267fab6bc785482e6b6cf2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f3aecfa8520f1010b93a9b471e8b7f2

SHA1
9918f80625114b7078c87ad5a7e5489438f040a9

SHA256
be7e8119e7e5353e58ff386c65a261b46df81229713f0a12ea78104e87dc094a

SHA512
e348756adaa7546bc10a79bbd426fd83955bb5c786ede97dfe318a095ff69a561717d3a29e4d60b1427a6693efd445e0f13ca79b39ff3fba2b1dfed86de1cb63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ca2623bb4fb63b63fd8256805572841

SHA1
86e63cefa5a9b7bc4117dfc06b178be82c5ceebf

SHA256
cd6d709fb33eb88153074aa3beb939f7a55054c6a77fb0a32c0b7df0796253ec

SHA512
37fcbcd3f7968e3727e94079d79a554cb97ba4e0feba08cb640a5b3983835f24f9f5585e80504d06003446628c29ff991861ea47bf5a42f6872ab0ea0115e9c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c14823bd024694769c5fc083887d42c

SHA1
af5b1c51f690ffed881e300e6632129eee5b86e2

SHA256
32358846d3a5ab906c24abf8b0a678b2e175eeec80a704fb537ebae20be11add

SHA512
91435de78d0d841efc887108cc3fbd47f7a3c9c481a2da696d88f793bc809b6f63994e3e71709eff895f91eef117207d5086316e293c35a569f82a0550057c10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95e8b07c34c4a4074841cd6b8afc7108

SHA1
34345e1c1cf137d63d4e4d0b2f1ed9cf870b4cd8

SHA256
71275b8bc7fb388b12bb3304c76aec40f5e46b97a2009e5a5b30b4798dca1f2b

SHA512
99cb5d9a96198c53fb087b8efcbe29d9733298878edbe65fcc98334d3b2bd3878409bc231bfe760c1cca008357a4a3facd696f0dc2ca61f4f3ba3797fe4f9a16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bdb30bfe1e90e4b3329d62b32c4f3fae

SHA1
8954cde353420eaae6f8212ad3ad8c63318ad153

SHA256
6ea861e2518e4b283272783fdd0b5e8b66ded185d9873e37fbb0dbe01f99c8a1

SHA512
c2583cebf56ce250de95c28ea5fd207be420ecc19222fc26ce4f5fd4a8abac2eb9724da9ea6d90f34cbcf7f5847a8230ca38cf9b7b9c6ebba7defe9879fbd2e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17466cb9916798be419fae945e629bc0

SHA1
a5472f5a6e01eb3b9110c3b47028aea4bd5f0334

SHA256
cb43bf89d5aedb2c46e831e4b21ea158a6f406cdc31fce20b39c646a83158ba3

SHA512
8b8bba46a1af5ea1c5dbdee89dab9b79ab69e79fac3ee0ec934613fc87635e1a1a85333c9c5693e371d4d1561a8d17af1c5ec15f1fd8749f8dbeea0f0cc7cffa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87902c997634f39adbe258aee9500ef3

SHA1
09cc5ed5fd0e94fcf301a1641f778f3392e4c5d1

SHA256
000a4058255bbaa22eeeed93ab183d6d329d62249c3585a0fd9141e3e2bfba9e

SHA512
1a966a33eafd87230f5949f9c7cca625d155c795369d1480bf581f96cad5c82a8d93b5a1f2063c1d1ab99623ba5d9675db9601b8208c993c125a0da059e2843a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b06e7f0712fafd2c1b9fdda288a4ecba

SHA1
5b22d8cfe3da43768004c1d103ed7f0443c4d719

SHA256
ec203b6d2a3266380575eff2f4874a6d3030f020e2acbbf9798e29c0adc1ecf8

SHA512
ce7cbc4831a81911fa5287eff14229bd0b4212b757d3c3fb8b2ca7a0c82069457a61a7f1938344fa7409a66a0251023b53bf5210bf21b68a473e5986e26b3244

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c5e11c22be5b6eb6a1b5127f897e734

SHA1
2949706f9d6858032d1ddf619310f009204ee8c5

SHA256
50a3d56f30a0ab407ff0eaf56fa9c352ae4fb7eb70f8f54f5125486c940e43aa

SHA512
9c829c0a3ed0d6a54664f169f0aac88f456504dcf1ece3e2da7e3d4916270e59cfeb9b71a04694af55535d5030b8694bfffff67aa25772f8726c5e9f53cc55f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c12e38c675a70bb44e6de26e8ac58dfb

SHA1
1941a859716e0f04e419fff0384cdd8a6e7e1fac

SHA256
d0f35bdaffba52bdde164d86b98ce42c29e642b6fb842ca392b9c22df1add103

SHA512
f73ef4009bb9b8b091c65c11380a9f372c7775d140dc0341a92386236545cf243b75790b9f4ce1af233fcdcfd232fe49ca017a01118d19a9fec178c190c3620c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa9230c12b7b4feb4fe6b6ca8645a0af

SHA1
0d503392bf708d2f0801e57358fc23acc51ecd2b

SHA256
eff73c8f7dc19af96be46f7df355300bd270739533f86c03f00e9bed1b8f63a7

SHA512
cc48b86d73e2dcfc77895c7f21553106f839dffbe1dbb51ac697e6c918820a9391d20198b9fbea0ef0cb62fbcf2e89c33d8c3afa4d6a601f0224b6bc3d93f0f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41f230f943c431e4bc033502cea7eb19

SHA1
219749b1414847c5e97317bbce7242b4a3a86980

SHA256
c5de9694513f984689ae130b3649d708448a2362e88e194457a4dddefa112d40

SHA512
2e5ec1f4e77b463619425c0b6a5b05bc1e411fc33ef7b2370d4210fc60f3ffe9d92d0c5855d21fc15c3b1ed7860f4441f804036bec237235860311c7442006b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2458418a270c876e69f777c481e3dde6

SHA1
238e40667a1ba9219d0e7d917ff816b1b205d00a

SHA256
a7cb2d7835a9f117eb9e17b2ba43cd4fc0ed98a78158018bd09a4e3c74839ed7

SHA512
9f7f2ced442b710a2ed90e497d3cfdb544d0f61ee57b6bf782b003304edc722a17dff418875d194f324bff9132675033f6f5f4e16b588679a99bc95a0f4c9716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B6D66001-235D-11EF-B5E8-DE62917EBCA6}.dat

Filesize
5KB

MD5
0b09d31375df00c6339ac0cd2a7f4218

SHA1
9a474e5afb303fbc135178545db503d68c79f84c

SHA256
136e563e539eda439f1fe234bdc61a1db4e234ce907bdaf4fe63e79240d2c294

SHA512
c3b53a8e80c8870f32f14032e2827d595ef548327eda90d0dc9f17ce1356167ca657567370fb8557ca3379ba3779d3a53e8e5d271b00dabcabe6c30065a16cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab21F5.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar22E6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\RMActivate_isv.lnk

Filesize
1KB

MD5
1bd48263c359baf1306bb4a5297519c9

SHA1
ac3bf062002a82e9ce95c5e2d9f947e9a4be618b

SHA256
d969f46161b796ae02e30c145c722a3bab585ad007f399a5cf9b5f32d10c9a3b

SHA512
8b56bf4b4960362c00195a76f08d07d4270d570484bbf68cbc3e92c4a4315e901280fa6f4cf1906f4931881147ed1d2a5f955cf8674fc33745d7d3f572ede551

Download Submit
\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\RMActivate_isv.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
memory/1164-978-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1164-977-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2196-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2196-0-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2196-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2196-1-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-467-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-459-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-479-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-446-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-443-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-434-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-461-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-24-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-476-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-470-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-473-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-490-0x0000000005DA0000-0x0000000005DA2000-memory.dmp

Filesize
8KB

Download
memory/2620-437-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-980-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-981-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-456-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-453-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-464-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-18-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/2620-440-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2620-449-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2688-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2688-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download