cerber | 48ff838a7fe98ec2c5bb59a8a76100047abcfa6db824f4982b8e7fdf2110f05d

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
07-06-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
Size

392KB
MD5

6653ef20d2a3a6ef656d9c886ebabd93
SHA1

bb0cc0b05bb70a3d347faa94fb36a35c771b0692
SHA256

48ff838a7fe98ec2c5bb59a8a76100047abcfa6db824f4982b8e7fdf2110f05d
SHA512

b68b37147ce0d1389d62f5f72ebb616edc7d2ed2aaa484e85f6dc4b6070c9ce973a523e11e311686dc0efb0757fe52dcfa430afb1f48f98ecfdc257c6f3cc360
SSDEEP

3072:viHZTdn6oWzjNtxPPnGau7GMuOYHAifZEeKPi6u7KzrN7ivE5oY4KppRsqYaefiU:QZqPtvGauSM4HAifkGOzrN+HKkalM

Score

10^/10

cerber defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.xlfp45.win/4F31-3F9A-B3AC-0291-972D | | 2. http://cerberhhyed5frqa.slr849.win/4F31-3F9A-B3AC-0291-972D | | 3. http://cerberhhyed5frqa.ret5kr.win/4F31-3F9A-B3AC-0291-972D | | 4. http://cerberhhyed5frqa.zgf48j.win/4F31-3F9A-B3AC-0291-972D | | 5. http://cerberhhyed5frqa.xltnet.win/4F31-3F9A-B3AC-0291-972D |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.xlfp45.win/4F31-3F9A-B3AC-0291-972D); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.xlfp45.win/4F31-3F9A-B3AC-0291-972D appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.xlfp45.win/4F31-3F9A-B3AC-0291-972D); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/4F31-3F9A-B3AC-0291-972D | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.xlfp45.win/4F31-3F9A-B3AC-0291-972D

http://cerberhhyed5frqa.slr849.win/4F31-3F9A-B3AC-0291-972D

http://cerberhhyed5frqa.ret5kr.win/4F31-3F9A-B3AC-0291-972D

http://cerberhhyed5frqa.zgf48j.win/4F31-3F9A-B3AC-0291-972D

http://cerberhhyed5frqa.xltnet.win/4F31-3F9A-B3AC-0291-972D

http://cerberhhyed5frqa.onion/4F31-3F9A-B3AC-0291-972D

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.xlfp45.win/4F31-3F9A-B3AC-0291-972D" target="_blank">http://cerberhhyed5frqa.xlfp45.win/4F31-3F9A-B3AC-0291-972D</a></li> <li><a href="http://cerberhhyed5frqa.slr849.win/4F31-3F9A-B3AC-0291-972D" target="_blank">http://cerberhhyed5frqa.slr849.win/4F31-3F9A-B3AC-0291-972D</a></li> <li><a href="http://cerberhhyed5frqa.ret5kr.win/4F31-3F9A-B3AC-0291-972D" target="_blank">http://cerberhhyed5frqa.ret5kr.win/4F31-3F9A-B3AC-0291-972D</a></li> <li><a href="http://cerberhhyed5frqa.zgf48j.win/4F31-3F9A-B3AC-0291-972D" target="_blank">http://cerberhhyed5frqa.zgf48j.win/4F31-3F9A-B3AC-0291-972D</a></li> <li><a href="http://cerberhhyed5frqa.xltnet.win/4F31-3F9A-B3AC-0291-972D" target="_blank">http://cerberhhyed5frqa.xltnet.win/4F31-3F9A-B3AC-0291-972D</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.xlfp45.win/4F31-3F9A-B3AC-0291-972D" target="_blank">http://cerberhhyed5frqa.xlfp45.win/4F31-3F9A-B3AC-0291-972D</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.xlfp45.win/4F31-3F9A-B3AC-0291-972D" target="_blank">http://cerberhhyed5frqa.xlfp45.win/4F31-3F9A-B3AC-0291-972D</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.xlfp45.win/4F31-3F9A-B3AC-0291-972D" target="_blank">http://cerberhhyed5frqa.xlfp45.win/4F31-3F9A-B3AC-0291-972D</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/4F31-3F9A-B3AC-0291-972D in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16390) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2708	bcdedit.exe
1688	bcdedit.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\ktmutil.exe\""	ktmutil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\ktmutil.exe\""	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe

Deletes itself 1 IoCs

pid	Process
2584	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ktmutil.lnk	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ktmutil.lnk	ktmutil.exe

Executes dropped EXE 1 IoCs

pid	Process
1976	ktmutil.exe

Loads dropped DLL 3 IoCs

pid	Process
844	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
844	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
1976	ktmutil.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ktmutil = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\ktmutil.exe\""	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ktmutil = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\ktmutil.exe\""	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ktmutil = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\ktmutil.exe\""	ktmutil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ktmutil = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\ktmutil.exe\""	ktmutil.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ktmutil.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpE88B.bmp"	ktmutil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2640	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1452	taskkill.exe
1344	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\ktmutil.exe\""	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop	ktmutil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\ktmutil.exe\""	ktmutil.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4F32E141-24F6-11EF-9DE9-520ACD40185F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d57b00bfdc998543836486c53268d1c500000000020000000000106600000001000020000000d585ae605c48b72c7d16c7f57791b621eb0b4cac26f6d2e044687040572fb773000000000e8000000002000020000000be934f141703df1312f5fe195d94aa8a93db4e9af3f25136837dd9a75594359620000000459b964ec60e6479e8f5a59277d789af5421125d2bc3482ac129dd894ba0a050400000006eb458f7c11c3e6ef5c3bcabd45a468ae78e160a2f92a7063dcbd438897186982072032f9ebb9e12722736e7738dfdffc250c59183302986e13835d2ab2e5568	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423944445"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4F295BC1-24F6-11EF-9DE9-520ACD40185F} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f080f81103b9da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d57b00bfdc998543836486c53268d1c500000000020000000000106600000001000020000000a32b8d4c810ed093c05750406dd7e494c3fe3c94f262be3754d4007af33ee019000000000e8000000002000020000000168d62d42f85facbe0be3119ba009ee9719eb844492eddf2af79b993ccf934ec9000000034aed9a2c3bfbca0b9e90c75e2b0655619b9c8ddcb25f1431b4001090aa3c2609db413f8380037c56ed6e3abb80854dcc25c0130a029de5cca563b31b52b4f99daa17a989f5aa74a613bf2fc4bb45eba7384c7cf0f7b862cdf5eb363fdf7d76fe839082ded340dd43a34c73cd96d9e678b3f7145a776c594e3ac827f9f94fd7075543c2c5035afa4e5ccce49b050e916400000007cfba4e2527884485b1a0842e225c4c782b287cc4f702c25f9b00752ffd30bb9caf8fcffa945b9ca8bebcbb3fb66c002ca2216ee8977d721a3646b5b083ebc1b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2512	PING.EXE
1672	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe
1976	ktmutil.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
Token: SeDebugPrivilege	1976	ktmutil.exe
Token: SeBackupPrivilege	2600	vssvc.exe
Token: SeRestorePrivilege	2600	vssvc.exe
Token: SeAuditPrivilege	2600	vssvc.exe
Token: SeDebugPrivilege	1452	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2072	wmic.exe
Token: SeSecurityPrivilege	2072	wmic.exe
Token: SeTakeOwnershipPrivilege	2072	wmic.exe
Token: SeLoadDriverPrivilege	2072	wmic.exe
Token: SeSystemProfilePrivilege	2072	wmic.exe
Token: SeSystemtimePrivilege	2072	wmic.exe
Token: SeProfSingleProcessPrivilege	2072	wmic.exe
Token: SeIncBasePriorityPrivilege	2072	wmic.exe
Token: SeCreatePagefilePrivilege	2072	wmic.exe
Token: SeBackupPrivilege	2072	wmic.exe
Token: SeRestorePrivilege	2072	wmic.exe
Token: SeShutdownPrivilege	2072	wmic.exe
Token: SeDebugPrivilege	2072	wmic.exe
Token: SeSystemEnvironmentPrivilege	2072	wmic.exe
Token: SeRemoteShutdownPrivilege	2072	wmic.exe
Token: SeUndockPrivilege	2072	wmic.exe
Token: SeManageVolumePrivilege	2072	wmic.exe
Token: 33	2072	wmic.exe
Token: 34	2072	wmic.exe
Token: 35	2072	wmic.exe
Token: SeIncreaseQuotaPrivilege	2072	wmic.exe
Token: SeSecurityPrivilege	2072	wmic.exe
Token: SeTakeOwnershipPrivilege	2072	wmic.exe
Token: SeLoadDriverPrivilege	2072	wmic.exe
Token: SeSystemProfilePrivilege	2072	wmic.exe
Token: SeSystemtimePrivilege	2072	wmic.exe
Token: SeProfSingleProcessPrivilege	2072	wmic.exe
Token: SeIncBasePriorityPrivilege	2072	wmic.exe
Token: SeCreatePagefilePrivilege	2072	wmic.exe
Token: SeBackupPrivilege	2072	wmic.exe
Token: SeRestorePrivilege	2072	wmic.exe
Token: SeShutdownPrivilege	2072	wmic.exe
Token: SeDebugPrivilege	2072	wmic.exe
Token: SeSystemEnvironmentPrivilege	2072	wmic.exe
Token: SeRemoteShutdownPrivilege	2072	wmic.exe
Token: SeUndockPrivilege	2072	wmic.exe
Token: SeManageVolumePrivilege	2072	wmic.exe
Token: 33	2072	wmic.exe
Token: 34	2072	wmic.exe
Token: 35	2072	wmic.exe
Token: SeDebugPrivilege	1344	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1724	iexplore.exe
2920	iexplore.exe
1724	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1724	iexplore.exe
1724	iexplore.exe
1724	iexplore.exe
1724	iexplore.exe
3056	IEXPLORE.EXE
3056	IEXPLORE.EXE
2920	iexplore.exe
2920	iexplore.exe
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2152	IEXPLORE.EXE
2152	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
844	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
1976	ktmutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 1976	844	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe	28
PID 844 wrote to memory of 1976	844	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe	28
PID 844 wrote to memory of 1976	844	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe	28
PID 844 wrote to memory of 1976	844	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe	28
PID 1976 wrote to memory of 2640	1976	ktmutil.exe	30
PID 1976 wrote to memory of 2640	1976	ktmutil.exe	30
PID 1976 wrote to memory of 2640	1976	ktmutil.exe	30
PID 1976 wrote to memory of 2640	1976	ktmutil.exe	30
PID 844 wrote to memory of 2584	844	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe	29
PID 844 wrote to memory of 2584	844	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe	29
PID 844 wrote to memory of 2584	844	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe	29
PID 844 wrote to memory of 2584	844	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe	29
PID 2584 wrote to memory of 1452	2584	cmd.exe	34
PID 2584 wrote to memory of 1452	2584	cmd.exe	34
PID 2584 wrote to memory of 1452	2584	cmd.exe	34
PID 2584 wrote to memory of 1452	2584	cmd.exe	34
PID 2584 wrote to memory of 2512	2584	cmd.exe	37
PID 2584 wrote to memory of 2512	2584	cmd.exe	37
PID 2584 wrote to memory of 2512	2584	cmd.exe	37
PID 2584 wrote to memory of 2512	2584	cmd.exe	37
PID 1976 wrote to memory of 2072	1976	ktmutil.exe	38
PID 1976 wrote to memory of 2072	1976	ktmutil.exe	38
PID 1976 wrote to memory of 2072	1976	ktmutil.exe	38
PID 1976 wrote to memory of 2072	1976	ktmutil.exe	38
PID 1976 wrote to memory of 2708	1976	ktmutil.exe	40
PID 1976 wrote to memory of 2708	1976	ktmutil.exe	40
PID 1976 wrote to memory of 2708	1976	ktmutil.exe	40
PID 1976 wrote to memory of 2708	1976	ktmutil.exe	40
PID 1976 wrote to memory of 1688	1976	ktmutil.exe	42
PID 1976 wrote to memory of 1688	1976	ktmutil.exe	42
PID 1976 wrote to memory of 1688	1976	ktmutil.exe	42
PID 1976 wrote to memory of 1688	1976	ktmutil.exe	42
PID 1976 wrote to memory of 1724	1976	ktmutil.exe	47
PID 1976 wrote to memory of 1724	1976	ktmutil.exe	47
PID 1976 wrote to memory of 1724	1976	ktmutil.exe	47
PID 1976 wrote to memory of 1724	1976	ktmutil.exe	47
PID 1976 wrote to memory of 2972	1976	ktmutil.exe	48
PID 1976 wrote to memory of 2972	1976	ktmutil.exe	48
PID 1976 wrote to memory of 2972	1976	ktmutil.exe	48
PID 1976 wrote to memory of 2972	1976	ktmutil.exe	48
PID 1724 wrote to memory of 3056	1724	iexplore.exe	49
PID 1724 wrote to memory of 3056	1724	iexplore.exe	49
PID 1724 wrote to memory of 3056	1724	iexplore.exe	49
PID 1724 wrote to memory of 3056	1724	iexplore.exe	49
PID 2920 wrote to memory of 2152	2920	iexplore.exe	51
PID 2920 wrote to memory of 2152	2920	iexplore.exe	51
PID 2920 wrote to memory of 2152	2920	iexplore.exe	51
PID 2920 wrote to memory of 2152	2920	iexplore.exe	51
PID 1724 wrote to memory of 2604	1724	iexplore.exe	52
PID 1724 wrote to memory of 2604	1724	iexplore.exe	52
PID 1724 wrote to memory of 2604	1724	iexplore.exe	52
PID 1724 wrote to memory of 2604	1724	iexplore.exe	52
PID 1976 wrote to memory of 2284	1976	ktmutil.exe	53
PID 1976 wrote to memory of 2284	1976	ktmutil.exe	53
PID 1976 wrote to memory of 2284	1976	ktmutil.exe	53
PID 1976 wrote to memory of 2284	1976	ktmutil.exe	53
PID 1976 wrote to memory of 2144	1976	ktmutil.exe	56
PID 1976 wrote to memory of 2144	1976	ktmutil.exe	56
PID 1976 wrote to memory of 2144	1976	ktmutil.exe	56
PID 1976 wrote to memory of 2144	1976	ktmutil.exe	56
PID 2144 wrote to memory of 1344	2144	cmd.exe	58
PID 2144 wrote to memory of 1344	2144	cmd.exe	58
PID 2144 wrote to memory of 1344	2144	cmd.exe	58
PID 2144 wrote to memory of 1672	2144	cmd.exe	59

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:844
- C:\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\ktmutil.exe
  "C:\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\ktmutil.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\system32\vssadmin.exe
    "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2640
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2708
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1688
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1724 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3056
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1724 CREDAT:537601 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2604
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:2972
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:2284
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "ktmutil.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\ktmutil.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "ktmutil.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1344
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1672
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe" > NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1452
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2512

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2920 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2152

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
ac2b704d10ba6ab83ccdbc463fc7d65e

SHA1
6822ca0b6c388341d2efc1acecf23b8b2015c622

SHA256
47f408f4f9ae7963e27f2d509d28a7e00cee4429eaf2e7c1b6e35c82ed9300df

SHA512
78ec5e40b80471fcf873573fe40e860f0b4804923c89dea2dbf11481534aacd161e870cd0f8fcb84c5aaf73d8940c041437f314f6749645c088cccb3aa17b269

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
2aaed6f52ee306f1649e005dd7ab6c79

SHA1
78d12ce48dedd71a9223129eaa5883bec42c2cf2

SHA256
ea80eed0680612864ef2da9064539054abca351c23bfc4d8f34f3fe6a8c8bad7

SHA512
cdb415d5f3af989b937db7d986a61c2787cc26ae2774228f709d5db8a4b2b7a23569d326a7cb73aa75949b84f8927104361d6a30fc37db2cd125f270a8a02864

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
85B

MD5
2b6c58d1a5412616da0a7af2a26011ef

SHA1
39a216adf3252b01afb66e41b8c0b38a78ea7762

SHA256
8952b7d5e55455f7293c65ff461c7fa9b34ddfbec8f12b8ebf94ba3110b5ed4b

SHA512
de76627878938dbf1d84a502475d7911ea246cf3fa1f90732685fbe91637c189efd5a5fb726e9d8f43bd11e56fafbc054fc1721950a2e6d98d76deb1a06c7957

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\# DECRYPT MY FILES #.vbs

Filesize
219B

MD5
35a3e3b45dcfc1e6c4fd4a160873a0d1

SHA1
a0bcc855f2b75d82cbaae3a8710f816956e94b37

SHA256
8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

SHA512
6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a56dc3fddf63f95e7c4c54a1067074a

SHA1
8de22aabbcc9a040e49b8b14eba961a2c1ffd387

SHA256
b31736b7cb193c0df6e70e843648e85b55b3be3866e970d78f3502dff30a0ee8

SHA512
c70133688d41b3ad248abb1bdfdd5054f3fab07e12ffbcf879ec71879855df99c04fe2428f151ab212a62727520025073cfffbd8f7b2db7ef7e7d5637a9ebac1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf179209d620c332a21578678ca23f16

SHA1
14b6873680b443b64fedf73f8e6222a98f39c4c7

SHA256
ff24ce5e17089ddb935dd078863252aaa6b72fe8ee54107ab971ffaf01947155

SHA512
2b8466c5788e0a72bca3c3dc2cc450dfd9d9572111a9eeb66dd4c86d0846250dfd7642da52a81b39676f6730ee8e8e4372d48a69b3b24b3addf33b766fda0d5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58d1e7302d349e72e4d1a3cbeebeeecf

SHA1
e775620ed7c37ed5bb6700ced8c94043617f715f

SHA256
e81fff956f6b581a02d548435cc9fdf7b81e1d45d0e492b049c1bfef37e21921

SHA512
9da3243275f1f6da8d8e236487d0ea1b2def0d272af8bbd545c535ed7713cf08f439c91d48fbdc2005c4efb214026d8681154c3b0bbc84a7410dae9eae1bd4c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7c254e311ac7553e0b05f6a549e831a

SHA1
0c63b1ac1c69832dde823251ae79aad75a36b489

SHA256
1ae059bbfe93a4b32304fe514b48943715121982bbbbf41c575ba17b52db9d74

SHA512
3f31cbebd55406181dcc910526cd5e512468bac28328ab40290e5ebf70c0cbf199f84f5fa677e86614efaab2fdf78a3b9e88350db2791626db313b2f76019e9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49d74687682d95af0a4c288e87d9ddb5

SHA1
f0d086b782525e1a2ba41ffecf1aabf6928c2915

SHA256
66759490eeb0269f3650027508475ec756ec0f280cbf8a2794852d93e64a7a90

SHA512
3a217face7722e1009cc744fe836c51dd4a2b05b82ee5a8a3cce4e2dfc39b19196d8f280ad896bbd5f4bf1ee866f76631f7147891f90839bcddc480124aad7a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb176722231cae721b3f338ae419908c

SHA1
2b409a935d341b036b7b1f8157d335a05766b008

SHA256
d379b7618d7709bc4e34dbe26198d2cc0d1faabd921a821aa5b33e2931dab8e9

SHA512
51ec3e2b11db6686a5b3dd35dc2eddb284c0314d85f25bb0b2251e465f746d9cd6521172bd6d9c6ffba208ff4037c0bdddac76ba1839634ec74e339ba4e7d7f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa69c5e9a7c7d9a3e0138404b07373ad

SHA1
ad9c185316a273fd7750c05f86137ca0015a0342

SHA256
c219d2ba20d44ad6dcea430e3ebc3260755c4e478a09f2efd0c4a3e4f77d7d5d

SHA512
05a5395e950bad22d2f0de838ba23ac9cc8f95b8ca57c7d91c917876afc35268723f53eb797e096c36595f82e10854de33d996d81814cf1c0103498d97eabe3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
767284fa17942c38964aa0a8e5f09d97

SHA1
5697a6a9d977d9167c767daead8ec162b7e26fa6

SHA256
ec999e60d15c63208fc2e10c055aa23220ba7ab9b30992d456d04d68a1234ce1

SHA512
3876f98f5d8cc046ae5845a2ea38ed82f15885ce62b17ab2a60e9fc075b6b90f9838f65993473ac307d2026af767ec956ea58e45fee00b84255793799b98e568

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e7964d54fb2e4cd9945b98cbecf882e

SHA1
18b59cf7eff7d1a1ee357ba0f7d3862aa9d0e2b7

SHA256
4aa5be2ea51058728201b3548e80b2aaa09dfedcc9106de4ebda4382d38f1316

SHA512
f23f708b8d7782e5e6ba869c9511303e9879d08f415a9c5acfc56f50eb83e6f2a449f7c90ed3e40966eee16f2e5587c8f183414b9883f34dbd69dde2a27b8d71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df80631077ec1155da4168abca71fcb6

SHA1
137ff262ff9f0e0411dfd00d47c00df57e4f9eb5

SHA256
c0eade3b52e766747b6f5c16a22c0ba1211abfc62d1ff135b356d8b4fdde0409

SHA512
a11d4f9edf4661ce0eb783ca8d82b180b15c077c62a57f63f58c590d8000ac5ea6896e82246faeed38ea709941a9f685239dd32b4210d53aa34147a258595146

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6e498d6127efa7fb0bb24b6c02d25ae

SHA1
56774d4a8e87db50c478e50e10c3d6070d613c79

SHA256
f7ae3f1e35dc659e73578397d9daaab1757b09e1834c042e9febd515ecf47698

SHA512
faaa3025cad30a583d4d588a4ae64b95620a9c04a0f66acf95dff2747c9fe1dcc831d4003461b74fe2a77bae1f7d80c508d0fb7129b9402be12e3d79309520a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e60f4492606131bc197ca28d85533a1

SHA1
4c62ff9e34f6fdcb5d19d47753205b8fe3c67661

SHA256
c7038dddc44491772b458b120460df51ff72c772d1cc3d8b7ca5d812793e873d

SHA512
7b12a72b79f324804d4c6318f5ce5b62a4539612e4d38414397378c50800dcaae23f79a65f53c46d5a9838e29ca8eb08755f53c60ae7291ae8980f6e6ccda596

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7744ed3caa00f3cabeee6ed1a32a6d4

SHA1
eb6d9e408eefceb6675c535c7fa1ff2b8f366d42

SHA256
8b6a67330acddb71135a30eb51eb7f433eb56889adcb08f8a4d797aa38d52cdc

SHA512
a1963a5d3310ec28797ce2544b077738ca5dfcf90fc874e0a846f85fcb063211d4ef1fc8ab305beed841fc64d9ca89accf1eae4d39368a2a00d085440f9e28f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23553c9500eece18de0c8648391ac245

SHA1
8b36d4d2092b9f2ede8e5c9dcd0aa051ff48a901

SHA256
719b6ed6c02c9da16f20c0b3a19ef126751c60adeab371b6f714800242b90c40

SHA512
bbbc7f6d182cf5dc40fb4e7ce7f3b9f29d103e0aecbd926f6338504fc12ea2136bb2ed03e06a0dbb00007fcfdc8e4ceeb5e14b29b48770535b1131df0d3dde88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8cb3b7f7e51e7f9864d30aed3ec59152

SHA1
2558d567d8adca3aa5b87f9472f521cd51a76b05

SHA256
09b1e5093b02cd9d286f07751e70ecbd647eb8a1da172de315133e85f6b4ced3

SHA512
a1d4a667a47b7b0dfd8385fd6dbf2f1345e873f49c32fbd35da83fccf9f73489518aefa6180a7a91711b361eaf7849b15ad380754d6fbb9807955a1bb44040ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b075068882b23102e73128eb87a5e9b

SHA1
a1ce7b22c15fd2b1ac3934f867623e56565f6ee8

SHA256
003535ca0542643bca64b5e325e598b92802a1a660b307b2e07f157c479e4fdf

SHA512
e42fe7f689ab917e0246c0e247263b78689aa8c3e42e8e3228084707c3a61d89183146499d0768c517c5b5c606d14433034d1270a68ffd53625a6e76ea46d87d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db32a68be1ee2850aac85b392dbe8835

SHA1
c2841e4559f8728a044abb14bb3692cc249fd9b2

SHA256
a849b1e9c8efdfa0193f96d439ea7720c9d3b98c9fd4b89276ffdee3d655636d

SHA512
b5bd5fc1c1ceb8724d4d44035e3dec4598f08b580d643ab7b377ef2552cdd391554557b25b2190bd5d6fc01606c367a1af5e782de5de5ca07a2ab6a5457c1eae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
faca007463b497e0bc41fce8f32e2252

SHA1
03ec7e850db5de59f1fcdfdda6752f997d80e14c

SHA256
b89a4d3a22af4112fc79f8ee9a0ff48cfd270d200baeb0566eb34b1c8ff7cd5a

SHA512
a79d650b7f2de10f2bbe46fdd007e4fb5bac97e9beaab0555fb049c446283d42faa74cd2a8a6fc8b479f0c62f389256dfd6f85c95905c99e65927353aba67a9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4840cab14dd0c82c81a0c6e9f5826a6

SHA1
43072c3b99ca848f6fa57fe38da2b3dbc56b46db

SHA256
c1ff81c5fa2cb136bc601a4b2f2a6c8100d2aa562cb87b501591e7c011c50d80

SHA512
4ef388b86771c971930c87cc3fc9d66d2b643850f3d359dc08251c4ad9176240392295786ce98f0fdc4f9faf1ac8651c22566ff828f02c7f2994b0bcf20a36bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4F295BC1-24F6-11EF-9DE9-520ACD40185F}.dat

Filesize
5KB

MD5
a34699e5196a1484b6e0d1049eda6382

SHA1
1837e623bb06619a7a11c8db5d260b1eb145e535

SHA256
e5c9676739d3fcf469535dd9bfd6a4e98663018708ad866ffb72cf36b24de51f

SHA512
ec2e6921f1cd7bd6abe4a89506600d008bf150b764eb002634b2945b775703a5b953c419aef4263a436908bbc78c37a76ce099a39cd640d84290d25c10bf543f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFFE3.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ktmutil.lnk

Filesize
1KB

MD5
468b6760276289fe2158ec927a966612

SHA1
9c8bbb6fa2954c80fd18d0e757909ee24c425b2e

SHA256
f22ab7aa2c0a05f6a75e0312e3b055d53869798f2eb80c5a44a885fac0e3ea61

SHA512
a8c67c810f0261a3d1d60729712212e5dd576129da703dbdf5f28a49127a3700fdc8ed7615637c2ce14034795532887b007ef5b6834ece919a3e5624863bfd88

Download Submit
\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\ktmutil.exe

Filesize
392KB

MD5
6653ef20d2a3a6ef656d9c886ebabd93

SHA1
bb0cc0b05bb70a3d347faa94fb36a35c771b0692

SHA256
48ff838a7fe98ec2c5bb59a8a76100047abcfa6db824f4982b8e7fdf2110f05d

SHA512
b68b37147ce0d1389d62f5f72ebb616edc7d2ed2aaa484e85f6dc4b6070c9ce973a523e11e311686dc0efb0757fe52dcfa430afb1f48f98ecfdc257c6f3cc360

Download Submit
memory/844-0-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/844-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/844-18-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/844-1-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-458-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-463-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-485-0x00000000041D0000-0x00000000041D2000-memory.dmp

Filesize
8KB

Download
memory/1976-455-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-449-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-459-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-461-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-474-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-476-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-451-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-972-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-465-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-467-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-21-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/1976-469-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-471-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-441-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-446-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download