cerber | 27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

Analysis

max time kernel
129s
max time network
130s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-07-2024 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Size

186KB
MD5

8ec363843a850f67ebad036bb4d18efd
SHA1

ac856eb04ca1665b10bed5a1757f193ff56aca02
SHA256

27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8
SHA512

800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684
SSDEEP

3072:TFFzdn1bwoWwW8BplOd4G5ts0RTy/L1yib5icNisjx3jUiXy:TFFzvwoWw3BXOdl5Ts1yw0s13jU5

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.zmvirj.top/EA55-BAD5-F3AF-029E-D6D7 | | 2. http://cerberhhyed5frqa.qor499.top/EA55-BAD5-F3AF-029E-D6D7 | | 3. http://cerberhhyed5frqa.gkfit9.win/EA55-BAD5-F3AF-029E-D6D7 | | 4. http://cerberhhyed5frqa.305iot.win/EA55-BAD5-F3AF-029E-D6D7 | | 5. http://cerberhhyed5frqa.dkrti5.win/EA55-BAD5-F3AF-029E-D6D7 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/EA55-BAD5-F3AF-029E-D6D7); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.zmvirj.top/EA55-BAD5-F3AF-029E-D6D7 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/EA55-BAD5-F3AF-029E-D6D7); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/EA55-BAD5-F3AF-029E-D6D7 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.zmvirj.top/EA55-BAD5-F3AF-029E-D6D7

http://cerberhhyed5frqa.qor499.top/EA55-BAD5-F3AF-029E-D6D7

http://cerberhhyed5frqa.gkfit9.win/EA55-BAD5-F3AF-029E-D6D7

http://cerberhhyed5frqa.305iot.win/EA55-BAD5-F3AF-029E-D6D7

http://cerberhhyed5frqa.dkrti5.win/EA55-BAD5-F3AF-029E-D6D7

http://cerberhhyed5frqa.onion/EA55-BAD5-F3AF-029E-D6D7

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.zmvirj.top/EA55-BAD5-F3AF-029E-D6D7" target="_blank">http://cerberhhyed5frqa.zmvirj.top/EA55-BAD5-F3AF-029E-D6D7</a></li> <li><a href="http://cerberhhyed5frqa.qor499.top/EA55-BAD5-F3AF-029E-D6D7" target="_blank">http://cerberhhyed5frqa.qor499.top/EA55-BAD5-F3AF-029E-D6D7</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/EA55-BAD5-F3AF-029E-D6D7" target="_blank">http://cerberhhyed5frqa.gkfit9.win/EA55-BAD5-F3AF-029E-D6D7</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/EA55-BAD5-F3AF-029E-D6D7" target="_blank">http://cerberhhyed5frqa.305iot.win/EA55-BAD5-F3AF-029E-D6D7</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/EA55-BAD5-F3AF-029E-D6D7" target="_blank">http://cerberhhyed5frqa.dkrti5.win/EA55-BAD5-F3AF-029E-D6D7</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/EA55-BAD5-F3AF-029E-D6D7" target="_blank">http://cerberhhyed5frqa.zmvirj.top/EA55-BAD5-F3AF-029E-D6D7</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.zmvirj.top/EA55-BAD5-F3AF-029E-D6D7" target="_blank">http://cerberhhyed5frqa.zmvirj.top/EA55-BAD5-F3AF-029E-D6D7</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/EA55-BAD5-F3AF-029E-D6D7" target="_blank">http://cerberhhyed5frqa.zmvirj.top/EA55-BAD5-F3AF-029E-D6D7</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/EA55-BAD5-F3AF-029E-D6D7 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16389) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\\shrpubw.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\\shrpubw.exe\""	shrpubw.exe

Deletes itself 1 IoCs

pid	Process
1844	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\shrpubw.lnk	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\shrpubw.lnk	shrpubw.exe

Executes dropped EXE 2 IoCs

pid	Process
2472	shrpubw.exe
2624	shrpubw.exe

Loads dropped DLL 2 IoCs

pid	Process
2604	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
2472	shrpubw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\shrpubw = "\"C:\\Users\\Admin\\AppData\\Roaming\\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\\shrpubw.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\shrpubw = "\"C:\\Users\\Admin\\AppData\\Roaming\\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\\shrpubw.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\shrpubw = "\"C:\\Users\\Admin\\AppData\\Roaming\\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\\shrpubw.exe\""	shrpubw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\shrpubw = "\"C:\\Users\\Admin\\AppData\\Roaming\\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\\shrpubw.exe\""	shrpubw.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpC61D.bmp"	shrpubw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2156	taskkill.exe
2364	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\\shrpubw.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop	shrpubw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\\shrpubw.exe\""	shrpubw.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c000000000200000000001066000000010000200000006014394707e91bfef82d38eec7ec45685a684d91bbb2cadb0ca6843feef7a4b9000000000e8000000002000020000000ae7b5175188bd32457e9c06304fb5722f708f584f2ba1cb775347ebdcda840f4900000007e4387a6f8b91e2b5f80b78a13cdc05d0ed667cc8cf5de7aae2212d1c707e54d5d16a38a37cc70517b8b123d4b552e64c5824b1f9b4af660ee1700dca291175d22120efd6dff98e90ac51d5643bceaff1ce775431bfd4f3099dc3cce95ceb31f6006fbbb9f55c22f3886df35dc3775946e1943b6469abb629407c07eb2d42e46618b614499582b81a664954c3612b4f6400000009af2793177237b0aeae43c8dbbdc6e219b301a962333d714b0f327f9be10016b851c0ff81e693b0cbae9618c304d4e48d486d514b05ea07fd0ac721f8b28a1c3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c0000000002000000000010660000000100002000000020eca305e643fc5efae028fe3eb374b7c2c3d433b7c7dac4cbc3e0b5d62c8f6b000000000e80000000020000200000008d7c42ec0199ea670b2389f3bb551044373fc6c1d9e5700c6f70d74fd961812720000000a8ced87a83fa6928a9118b4e47855561869241decf28a04e28c94e5b2c6dfa844000000014f9ecdd70ee783c8487f3f88e3ae02803d95bed0d63a4ac18d8a736d21db295eb7f346ba3421d531cb13cd6e6646997af85ec5a9df4004972539db0b424925a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{78FE5C91-464B-11EF-AD79-76B5B9884319} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427609411"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{78F4D711-464B-11EF-AD79-76B5B9884319} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70b2ce3b58dada01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2560	PING.EXE
2192	PING.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe
2472	shrpubw.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Token: SeDebugPrivilege	2472	shrpubw.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	2624	shrpubw.exe
Token: SeDebugPrivilege	2364	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2980	iexplore.exe
1956	iexplore.exe
1956	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1956	iexplore.exe
1956	iexplore.exe
2980	iexplore.exe
2980	iexplore.exe
1956	iexplore.exe
1956	iexplore.exe
1448	IEXPLORE.EXE
1448	IEXPLORE.EXE
1692	IEXPLORE.EXE
1692	IEXPLORE.EXE
2240	IEXPLORE.EXE
2240	IEXPLORE.EXE
2240	IEXPLORE.EXE
2240	IEXPLORE.EXE

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
2604	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
2472	shrpubw.exe
2624	shrpubw.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2472	2604	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	31
PID 2604 wrote to memory of 2472	2604	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	31
PID 2604 wrote to memory of 2472	2604	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	31
PID 2604 wrote to memory of 2472	2604	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	31
PID 2604 wrote to memory of 1844	2604	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	32
PID 2604 wrote to memory of 1844	2604	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	32
PID 2604 wrote to memory of 1844	2604	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	32
PID 2604 wrote to memory of 1844	2604	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	32
PID 1844 wrote to memory of 2156	1844	cmd.exe	34
PID 1844 wrote to memory of 2156	1844	cmd.exe	34
PID 1844 wrote to memory of 2156	1844	cmd.exe	34
PID 1844 wrote to memory of 2156	1844	cmd.exe	34
PID 1844 wrote to memory of 2560	1844	cmd.exe	36
PID 1844 wrote to memory of 2560	1844	cmd.exe	36
PID 1844 wrote to memory of 2560	1844	cmd.exe	36
PID 1844 wrote to memory of 2560	1844	cmd.exe	36
PID 1744 wrote to memory of 2624	1744	taskeng.exe	39
PID 1744 wrote to memory of 2624	1744	taskeng.exe	39
PID 1744 wrote to memory of 2624	1744	taskeng.exe	39
PID 1744 wrote to memory of 2624	1744	taskeng.exe	39
PID 2472 wrote to memory of 1956	2472	shrpubw.exe	40
PID 2472 wrote to memory of 1956	2472	shrpubw.exe	40
PID 2472 wrote to memory of 1956	2472	shrpubw.exe	40
PID 2472 wrote to memory of 1956	2472	shrpubw.exe	40
PID 2472 wrote to memory of 2172	2472	shrpubw.exe	41
PID 2472 wrote to memory of 2172	2472	shrpubw.exe	41
PID 2472 wrote to memory of 2172	2472	shrpubw.exe	41
PID 2472 wrote to memory of 2172	2472	shrpubw.exe	41
PID 1956 wrote to memory of 1448	1956	iexplore.exe	42
PID 1956 wrote to memory of 1448	1956	iexplore.exe	42
PID 1956 wrote to memory of 1448	1956	iexplore.exe	42
PID 1956 wrote to memory of 1448	1956	iexplore.exe	42
PID 2980 wrote to memory of 1692	2980	iexplore.exe	44
PID 2980 wrote to memory of 1692	2980	iexplore.exe	44
PID 2980 wrote to memory of 1692	2980	iexplore.exe	44
PID 2980 wrote to memory of 1692	2980	iexplore.exe	44
PID 1956 wrote to memory of 2240	1956	iexplore.exe	45
PID 1956 wrote to memory of 2240	1956	iexplore.exe	45
PID 1956 wrote to memory of 2240	1956	iexplore.exe	45
PID 1956 wrote to memory of 2240	1956	iexplore.exe	45
PID 2472 wrote to memory of 2812	2472	shrpubw.exe	46
PID 2472 wrote to memory of 2812	2472	shrpubw.exe	46
PID 2472 wrote to memory of 2812	2472	shrpubw.exe	46
PID 2472 wrote to memory of 2812	2472	shrpubw.exe	46
PID 2472 wrote to memory of 1020	2472	shrpubw.exe	49
PID 2472 wrote to memory of 1020	2472	shrpubw.exe	49
PID 2472 wrote to memory of 1020	2472	shrpubw.exe	49
PID 2472 wrote to memory of 1020	2472	shrpubw.exe	49
PID 1020 wrote to memory of 2364	1020	cmd.exe	51
PID 1020 wrote to memory of 2364	1020	cmd.exe	51
PID 1020 wrote to memory of 2364	1020	cmd.exe	51
PID 1020 wrote to memory of 2192	1020	cmd.exe	52
PID 1020 wrote to memory of 2192	1020	cmd.exe	52
PID 1020 wrote to memory of 2192	1020	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\shrpubw.exe
  "C:\Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\shrpubw.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1448
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:537601 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2240
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:2172
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:2812
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "shrpubw.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\shrpubw.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "shrpubw.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2364
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2192
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2560

C:\Windows\system32\taskeng.exe
taskeng.exe {A9381364-D733-4C56-B46B-EC8345CCCA63} S-1-5-21-3450744190-3404161390-554719085-1000:PDIZKVQX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\shrpubw.exe
  C:\Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\shrpubw.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:2624

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2980 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1692

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
877f593f9b6a7a40705b8d247dd72b75

SHA1
5f8490670b821a07ca834a1faf78f31829770997

SHA256
4c443939b0c4b45bde9860383c3f1a09872b1174ec415ab011287eaaae0cce76

SHA512
330eb4dc68db9e5ae40a5a0717a51e68a352d07c2ea38ca18e6da28d90963528a0b19ff846fa6b3f96e1f3b790a472eca8f421fc06da36671cf5e6202a64003d

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
f91d79837f351dc9cb414402ad453695

SHA1
d7378f373bb7cd3d03f2494b0f8faa419197d786

SHA256
cc9c9afc25e0dd5c0614c4e277684582076e42a83722b0e5a198a7571bdfc4a7

SHA512
1f0a4e1a2a5658b73825bb8dd6f385636c5c858ffc29fb3a0f9c459fd5b7b4b06a72e50162b7d24ca93787f4f0a11f956d6d1a179b814f0245b4696de2ab7b1f

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
85B

MD5
4651c0c11cda3f094c0c6e9dc90961a6

SHA1
037386c69c3e43e35fa05578f94bfe96a3d107d8

SHA256
e05dfa062e05fb66682cc9619fa9bc72dd2633c6068c38512f5646baff0f7540

SHA512
e28092c9eb139b64d32611e32bf10d8a17ea0f7f314ef7aa7fbbd4209333dfa692b13246ba405616282621c1662328da28d568e5eebcb6d6bafadd6ff256d560

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
225B

MD5
f6d629f2a4c0815f005230185bd892fe

SHA1
1572070cf8773883a6fd5f5d1eb51ec724bbf708

SHA256
ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f

SHA512
b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
df423e7a23fb317d29fe0a1463483b29

SHA1
dbe38b9deda5213fd635263f519abfdcc996c5cc

SHA256
3bc314f144264aca0b04c402bea820372a12c8a14a6cf3b8e1b5f5065e1f4a31

SHA512
63c3a3fafd0b353c9e841a28a841c7c035a875c3161fc9246644d152e2bb732a29d89829f2d9cd215e8ded8cfbb71046beedb1d7e28f0fd33e0922017d3a08df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
847a66ba6525ef23a4881947ed3bea45

SHA1
f981302aa6c0fc7b36dc4aee7bb9c546d6dd2c4b

SHA256
207b487891e07be577be3d551a50b960a3ce2590cddb3b3bf3d21978e248c51f

SHA512
1b221e5d3426bcd160f3f73c37a4cf1c8c018013c77d46ec0bf26f87410e26839efa5cb7956dec5b591096ad84b2e3172b086671911cf0e84391bbb35411e598

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c86112886bd5b7596ca04b9005c2de78

SHA1
6291433ad333cf3425db702de5f950dd651c906f

SHA256
8e15ade22c0b601614305104e948da344d4669502ad7d649f119e231c90520c6

SHA512
8afd4a9970494616238389c21d9871ead913ce3e9d23c690a1fb7f270b7c46fc51445a8ac185e87e9ff12ca7fd53d06250b06342ad8fddd0bbd2f9bdcb545a71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7e1a874a580fe22e8f3af6a6eff7de59

SHA1
92da0d5bda774ba7b88638c8e81c924eb2f8f778

SHA256
7fba0eebba8d00dbd5d65b6a1c854135e9d08d6207ec489f45847c8764f5175b

SHA512
c6566215e6e0567f1440bdf1d55619eaa5bd193a6ca3da57aced9b9e2f206fa3a59a9521a1d58641b5655fb6da1331b1e695edf5367b7794612f8977ad0db514

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e0aab943c2aa3f3b4ead12f41c80bee2

SHA1
ffe0d23416c2769856602a118a05ad47ff77152e

SHA256
26cc8811a26e4f1f98377008612346b57cbb80352315b09f3ca38bdf2532174b

SHA512
138a7d27c1d09983e7a89f5b71df13f55740342082abe5973e40ca4842cd88e046712f99025fcaeb21d4670820309b905954a6eb1ea3a59b104a5506a48a8b4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
1375e096dd786625acae0ab18ba40b14

SHA1
e069687292d25bdc065ff0f933822855d8b9d812

SHA256
ff97f61d4c29a727cbe19c472630a73dba86b013cff415a382769fe35ab7e824

SHA512
9cd94e077fd1e5f25bab5e858af90267b45d3a2c00cb253c36125b3c295f54cc397ff7fdafc65ff2db8face1c6d155764dcbda16e8b083f31fc4a139f6517155

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9348273fb0ad0f22fbc58d425a38646a

SHA1
cddb459c251815c63021abe947fd81b8381e81b7

SHA256
a6bac54a7d6d41c6553aa5d02a3e20be9a43773d26afff739a84e28c52eaf899

SHA512
fa32001124812caf331e742aa3c9e7b33813036d4b4503755d2917b0fe4ff176bf0bc77702723986c9950539f427ad9089b4933b51ad7916c00cbbfd0a302b72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
028c788eba3f5072b215ca1f56214f4b

SHA1
6643ff85763489d4ef1ea373816a7e0d3bcd3468

SHA256
9f3ad93ce2475989bc389a997c8a5740ce0752ade9d7e83d9c2a12544518a387

SHA512
13ecbd37ac8619d08420a9a4aeabee82c7107e49e081efce5d5abb6d2d4f09bb505af82a7836b95bf4bc24673a017cae3d7141a53d82d5753aa01e55b63c2381

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
312e483a190efd6aef87bb91818f82fb

SHA1
655f6ac79f29386f4b3da0e9cc19e191d848a7ac

SHA256
5e9b76c8b640b56aad82ce12c1af30aced9ce579731bfeb1db2b185d82043b5e

SHA512
67a7024104653e75b3719c60a9fddd2fcb163a0b7653ea843e94947d0e9600e4a551da48443084129867cf106d6bc035cb1327a6946c1c01e9b5108b2f0f0992

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9b3dd7748173d61d735f9258d68b97b0

SHA1
83534c83f5139d5ac4e8ddf20b9ad9c0122a56be

SHA256
dbf97a8ed1468d1fa3eda676ed0b3851c056deb82f236d32f0b3e1b5301c1893

SHA512
e2f408eb706ed5adceb5742eb5f4272410396fe576ca8467dcbc7d6705cce50a79418f045efe30f146835d65f5df419c9483b535914585db05f62bb467d49bae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9b51215ab042ce5495512a38fbea5a1a

SHA1
128f39cd56a00841d49abc73806dac16c145851b

SHA256
36fecebf0561706f2b3da938f26b8d25dc8c7a388931276b5017e8e424ce0d1d

SHA512
5856db1b10a7061dfefb053d5c0511fbea9bbc75fb8da7e6899d46595e9afc75a269497d75cbb41371b97145ccdcfd3025b95c54591da67952fbf058916705ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
8dd0dacced1b3390bdcac515cd7e5123

SHA1
3985a770f648536b906236d26f57a296a55fc9a4

SHA256
4245b47b2e27f0dd205810f3ce027efb8ad1d33839ff8fdd9fcb2545d6da76aa

SHA512
ab55f8b62c6bce4e5deef8278c490789800273a54173596b9ee19a07d5d80edff1d6c20b65c740a3dbd4804042525b2b36eb9ba6da7be4acdcc9300a0530d86e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7989e1c9679b2f365f1b45996303df2a

SHA1
928ec8c8b2cd631de342d69b345233486cb2fdf1

SHA256
9f6c9dfde64f3f6b56eb0f28b536e79a63b2bd028ebcbc3b7893475480733927

SHA512
4254861ed9346205cfbb2d48ddc26f2290728345ea8d2352ad0329aba164213a163edad8e7a1d1851914c2aab7b0225d1356d312f79ae3d947c5d175a4709371

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e8a6364edfd9ccf8ba9b443c728dc622

SHA1
072e23923f97214dc78c6ad59ef652fcaeb61c49

SHA256
ccb6c3ec289f342483bd5c39f0b7140aebba6eb7da403aea045b4bdd4fa4c8ba

SHA512
f39c9cac4c9fa0657a2a315a89115c4abb81ee71d2ba893b02c8860551bf78638bfeb1e7bc0f4a24c94a05f0fd6ad504e7a51aed2d282367ec02ad112209c231

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
959f2753ce3d0518dbe5ba02cc097532

SHA1
b8c6bb52e86f9cd94ee839c97a326f4f970bf492

SHA256
fc123674e8aea8e72a98f83cf8e312d497a3a4d30580f29a738e21986b57f9d9

SHA512
a245dd7c57db205685bef4a9dff547364bd44d86517f9ac8bcbab67f867699212ed70e3b5c217f7f645cb3c3d5395dc3e7150e509e6c16a5e2a6bbc5278b15bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
1f297bc62643d0ed9944ad81ed7ef97f

SHA1
55317c226af6135e4475bacb5a5c1923032e4d5f

SHA256
c40b62d800f5308368fad5450a002c5ae5b62fe259c07d04df30675491edee7f

SHA512
f1470d7c854c5fabef7c82dae6df41173539b0ea27e56977ac799edd0b4eb22468c4a44c5559c3920ba75a443eecf6b1872221db9361afbdf5e7883907ae4f54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
16fbce25c58d41202d9811c0dcb19559

SHA1
8c50a05306846e531d01bc1dfd43a8f14f6b5a70

SHA256
93ae539c617bdc35db4dab6a53ce31429753c9c5cfc7199652823ae17ef65b3a

SHA512
569bdef5c0f80353806bfc7089de2f36e81dd7872b1665a471346995bc50681af004c1c563182f21a1081f9df5bbda07391c0d344e5e0672beadf41454f0f69c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
84c20d23f5e5fc619a4d07bce02263ef

SHA1
29c9b2e1ea3b39dca209af7070733772b34ed072

SHA256
3c1e1a09e23d5c07786695b5b95e5e1b089af8566df38d8b6292e069f9df4c75

SHA512
a478aaef1017ba5b337b0369fabc410540e7d82b04f860f9879dbf3f9954ae81b6dcf31e4783fb04a41d91384167828ff9c6648a86a2226a3e70930eb3319066

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
04935172f833cbf2f5d59819847a50d3

SHA1
2dceffe1972f6634b3e93f4c3badfac38458e55a

SHA256
c79ab0f9c87cf739ef227bb9cd3ff1962bc59f98202431d0a330feccaa6ff925

SHA512
e7dee99e0af451377be3b3ec2cb3e05106a3a3fe020b2096a3961d63ec5fddc0c3f18c9881ab7c3077b80673705c66115f55d72f0324b3a12b5248cfff919eef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{78F4D711-464B-11EF-AD79-76B5B9884319}.dat

Filesize
5KB

MD5
78ed3e9439df1d0d71eca4975104ec3f

SHA1
5d65c8f44cb4e130a9c04d9d4d2c4f9f3cef69a1

SHA256
b14f9a1989cd21273271d9d24661b4d484fb919e8233bd23065b4a63e945a8be

SHA512
c66ef46abf468e5a1df27111d6eaee3c7f70e63187bee30f70875d2e5cebe0d156f2b636181527e69a131e21928d1d34e6efb516d6f7e7a0217618a57c86a1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDD36.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDDE7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\shrpubw.lnk

Filesize
1KB

MD5
bf7ad82fd3c77bfb9b44ebc7011a99f7

SHA1
580c86e4c66529e1cab9c6a9e2d1b3ae7e81ab45

SHA256
55ff5999e0b3a3cdec4c3c5b7db731ad39fd29c08e5d847430723cc284eb042f

SHA512
8bdf9d0852fdbcb745749f1b8201d325dd6b70d85e4a9224fa8a633e9bea1e1551903e54bc8279b3509b67eff25b2e7fb838b3c10b9023edc82ab94feec05664

Download Submit
\Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\shrpubw.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
memory/2472-473-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-478-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-505-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-503-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-501-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-495-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-497-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-515-0x0000000005950000-0x0000000005952000-memory.dmp

Filesize
8KB

Download
memory/2472-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-476-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-486-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-499-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-488-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-484-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-482-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-955-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-957-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-468-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-471-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-480-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-18-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/2604-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2604-0-0x0000000000160000-0x0000000000181000-memory.dmp

Filesize
132KB

Download
memory/2604-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2604-1-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2624-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2624-23-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download