cerber | fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6

Analysis

max time kernel
110s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/01/2025, 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe
Size

395KB
MD5

9b55e3dbb34b1d422fe46487f42019a6
SHA1

ecc8ee4fe83f00d2b307a17ce4a323646aece2e0
SHA256

fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6
SHA512

8a0fca1dc36bf9053eab2a2c4e549e83e192b2b34e8ef814e031274d37157d13b2d02befb795195acb28af1a201a39dcb9356f2dad2187aaf4f5e86de051ae45
SSDEEP

6144:j/44D6oSKZyjhi7+jxF07ETxj85zdBdy+66lmppOLZB5wr:rp67KUA+jxG7eIHB6QLF+

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#C3rber Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to return your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://bqyjebfh25oellur.onion.to/E924-E80A-35C0-0072-BFD1 | | 2. http://bqyjebfh25oellur.onion.cab/E924-E80A-35C0-0072-BFD1 | | 3. http://bqyjebfh25oellur.onion.nu/E924-E80A-35C0-0072-BFD1 | | 4. http://bqyjebfh25oellur.onion.link/E924-E80A-35C0-0072-BFD1 | | 5. http://bqyjebfh25oellur.tor2web.org/E924-E80A-35C0-0072-BFD1 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://bqyjebfh25oellur.onion.to/E924-E80A-35C0-0072-BFD1); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://bqyjebfh25oellur.onion.to/E924-E80A-35C0-0072-BFD1 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://bqyjebfh25oellur.onion.to/E924-E80A-35C0-0072-BFD1); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://bqyjebfh25oellur.onion/E924-E80A-35C0-0072-BFD1 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://bqyjebfh25oellur.onion.to/E924-E80A-35C0-0072-BFD1

http://bqyjebfh25oellur.onion.cab/E924-E80A-35C0-0072-BFD1

http://bqyjebfh25oellur.onion.nu/E924-E80A-35C0-0072-BFD1

http://bqyjebfh25oellur.onion.link/E924-E80A-35C0-0072-BFD1

http://bqyjebfh25oellur.tor2web.org/E924-E80A-35C0-0072-BFD1

http://bqyjebfh25oellur.onion/E924-E80A-35C0-0072-BFD1

Extracted

Path

C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .upd_on { color: red; display: block; } .upd_off { display: none; float: left; } .tor { padding: 10px 0; text-align: center; } .url { margin-right: 5px; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#C3rber Ransomware". <hr> If you are reading this message it means the software "Cerber" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files! When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li>Please wait...<a class="url" href="http://bqyjebfh25oellur.onion.to/E924-E80A-35C0-0072-BFD1" id="url_1" target="_blank">http://bqyjebfh25oellur.onion.to/E924-E80A-35C0-0072-BFD1</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li> <li><a href="http://bqyjebfh25oellur.onion.cab/E924-E80A-35C0-0072-BFD1" target="_blank">http://bqyjebfh25oellur.onion.cab/E924-E80A-35C0-0072-BFD1</a></li> <li><a href="http://bqyjebfh25oellur.onion.nu/E924-E80A-35C0-0072-BFD1" target="_blank">http://bqyjebfh25oellur.onion.nu/E924-E80A-35C0-0072-BFD1</a></li> <li><a href="http://bqyjebfh25oellur.onion.link/E924-E80A-35C0-0072-BFD1" target="_blank">http://bqyjebfh25oellur.onion.link/E924-E80A-35C0-0072-BFD1</a></li> <li><a href="http://bqyjebfh25oellur.tor2web.org/E924-E80A-35C0-0072-BFD1" target="_blank">http://bqyjebfh25oellur.tor2web.org/E924-E80A-35C0-0072-BFD1</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is Please wait...<a class="url" href="http://bqyjebfh25oellur.onion.to/E924-E80A-35C0-0072-BFD1" id="url_2" target="_blank">http://bqyjebfh25oellur.onion.to/E924-E80A-35C0-0072-BFD1</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address Please wait...<a class="url" href="http://bqyjebfh25oellur.onion.to/E924-E80A-35C0-0072-BFD1" id="url_3" target="_blank">http://bqyjebfh25oellur.onion.to/E924-E80A-35C0-0072-BFD1</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is Please wait...<a class="url" href="http://bqyjebfh25oellur.onion.to/E924-E80A-35C0-0072-BFD1" id="url_4" target="_blank">http://bqyjebfh25oellur.onion.to/E924-E80A-35C0-0072-BFD1</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://bqyjebfh25oellur.onion/E924-E80A-35C0-0072-BFD1 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> <script> function getXMLHttpRequest() { if (window.XMLHttpRequest) { return new window.XMLHttpRequest; } else { try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } } function getUrlContent(url, callback) { var xhttp = getXMLHttpRequest(); if (xhttp) { xhttp.onreadystatechange = function() { if (xhttp.readyState == 4) { if (xhttp.status == 200) { return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null); } else { return callback(null, true); } } }; xhttp.open("GET", url + '?_=' + new Date().getTime(), true); xhttp.send(); } else { return callback(null, true); } } function server1(address, callback) { getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) { if (!error) { var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result); if (tx) { getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) { if (!error) { var address = /"vouts":\[{"address":"([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); } }); } function server2(address, callback) { getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) { if (!error) { var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result); if (tx) { getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) { if (!error) { var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); }

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{0FB3C083-DBC2-04E3-36AB-7D13DD964B1E}\\expand.exe\""	fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{0FB3C083-DBC2-04E3-36AB-7D13DD964B1E}\\expand.exe\""	expand.exe

Contacts a large (524) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Deletes itself 1 IoCs

pid	Process
2936	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\expand.lnk	fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\expand.lnk	expand.exe

Executes dropped EXE 2 IoCs

pid	Process
2052	expand.exe
3020	expand.exe

Loads dropped DLL 3 IoCs

pid	Process
2068	fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe
2068	fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe
2052	expand.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\expand = "\"C:\\Users\\Admin\\AppData\\Roaming\\{0FB3C083-DBC2-04E3-36AB-7D13DD964B1E}\\expand.exe\""	fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\expand = "\"C:\\Users\\Admin\\AppData\\Roaming\\{0FB3C083-DBC2-04E3-36AB-7D13DD964B1E}\\expand.exe\""	fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\expand = "\"C:\\Users\\Admin\\AppData\\Roaming\\{0FB3C083-DBC2-04E3-36AB-7D13DD964B1E}\\expand.exe\""	expand.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\expand = "\"C:\\Users\\Admin\\AppData\\Roaming\\{0FB3C083-DBC2-04E3-36AB-7D13DD964B1E}\\expand.exe\""	expand.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	expand.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp369A.bmp"	expand.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.url	expand.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE	expand.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.txt	expand.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.url	expand.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.txt	expand.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.vbs	expand.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE	expand.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml	expand.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE	expand.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.html	expand.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE	expand.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote.ini	expand.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE	expand.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.html	expand.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.vbs	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1088	cmd.exe
604	PING.EXE
2936	cmd.exe
2160	PING.EXE

Kills process with taskkill 2 IoCs

evasion

pid	Process
2760	taskkill.exe
1812	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop	fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{0FB3C083-DBC2-04E3-36AB-7D13DD964B1E}\\expand.exe\""	fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop	expand.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{0FB3C083-DBC2-04E3-36AB-7D13DD964B1E}\\expand.exe\""	expand.exe

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 207918c9ab60db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029f5aeb4bc6a27409a4417790fa25fc8000000000200000000001066000000010000200000007813d7367722257aaf9c549d11a2c2bada22d0d258a845b4b9cda9aac4510a83000000000e8000000002000020000000a16108a6b720c7c7e81a4026fd8c569b82874ccd105f32fbb4b48b0353605588900000002c2ce5256daeeed652c4c1c382f16c01fdc7fb9882b048255ee189607d9c00495d88da40ba04610ccf64b4b4bbcc3bde9d81603e8a26a64f95cb45427f9457f821fcd4e18cc3a21b9a3d7b063acccf2badfbf05505f91799d22c786539365b737d248041bbf3b31b8309e85083803f2d456d2b7eb6d863c4535addabbf36224e787ca734468763e019ebefc5e37d3d134000000066855ac7c9b26e529f193fcca0996546aad6a361cb34c0da066e67d35deb1abad1155c2c685191c27a6828d3327927e200507acd8991a08cb2bc2b0121462d12	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029f5aeb4bc6a27409a4417790fa25fc8000000000200000000001066000000010000200000004d6f88edeef2952fb323605d93e7f7969172929c6554c0cf7640b5d591a22e38000000000e80000000020000200000004fc8e701fe8745d9a3b0a757b964d11ac6b0a491aa4a2c5b6cd4de590488acfb200000009cf8ae4e03dbe68901bafb102d3ae9a9deed00d02caf5daa36fa350f0c42508740000000fca8247ffae15e1883c8fa725b1fe7fd82c738de8855143ca19b59d1515ff5146960199a948a88f980391a0117792aed4256cad9b5074cd37d25278cd09055ea	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F46AF4E1-CC9E-11EF-A540-C28ADB222BBA} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F45F0E01-CC9E-11EF-A540-C28ADB222BBA} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2160	PING.EXE
604	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe
2052	expand.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe
Token: SeDebugPrivilege	2052	expand.exe
Token: SeDebugPrivilege	2760	taskkill.exe
Token: SeDebugPrivilege	3020	expand.exe
Token: SeDebugPrivilege	1812	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2988	iexplore.exe
1952	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1952	iexplore.exe
1952	iexplore.exe
2988	iexplore.exe
2988	iexplore.exe
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1256	IEXPLORE.EXE
1256	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
2068	fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe
2052	expand.exe
3020	expand.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2052	2068	fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe	30
PID 2068 wrote to memory of 2052	2068	fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe	30
PID 2068 wrote to memory of 2052	2068	fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe	30
PID 2068 wrote to memory of 2052	2068	fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe	30
PID 2068 wrote to memory of 2936	2068	fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe	31
PID 2068 wrote to memory of 2936	2068	fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe	31
PID 2068 wrote to memory of 2936	2068	fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe	31
PID 2068 wrote to memory of 2936	2068	fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe	31
PID 2936 wrote to memory of 2760	2936	cmd.exe	33
PID 2936 wrote to memory of 2760	2936	cmd.exe	33
PID 2936 wrote to memory of 2760	2936	cmd.exe	33
PID 2936 wrote to memory of 2760	2936	cmd.exe	33
PID 2936 wrote to memory of 2160	2936	cmd.exe	35
PID 2936 wrote to memory of 2160	2936	cmd.exe	35
PID 2936 wrote to memory of 2160	2936	cmd.exe	35
PID 2936 wrote to memory of 2160	2936	cmd.exe	35
PID 2636 wrote to memory of 3020	2636	taskeng.exe	38
PID 2636 wrote to memory of 3020	2636	taskeng.exe	38
PID 2636 wrote to memory of 3020	2636	taskeng.exe	38
PID 2636 wrote to memory of 3020	2636	taskeng.exe	38
PID 2052 wrote to memory of 1952	2052	expand.exe	40
PID 2052 wrote to memory of 1952	2052	expand.exe	40
PID 2052 wrote to memory of 1952	2052	expand.exe	40
PID 2052 wrote to memory of 1952	2052	expand.exe	40
PID 2052 wrote to memory of 2100	2052	expand.exe	41
PID 2052 wrote to memory of 2100	2052	expand.exe	41
PID 2052 wrote to memory of 2100	2052	expand.exe	41
PID 2052 wrote to memory of 2100	2052	expand.exe	41
PID 1952 wrote to memory of 1256	1952	iexplore.exe	43
PID 1952 wrote to memory of 1256	1952	iexplore.exe	43
PID 1952 wrote to memory of 1256	1952	iexplore.exe	43
PID 1952 wrote to memory of 1256	1952	iexplore.exe	43
PID 2988 wrote to memory of 1836	2988	iexplore.exe	44
PID 2988 wrote to memory of 1836	2988	iexplore.exe	44
PID 2988 wrote to memory of 1836	2988	iexplore.exe	44
PID 2988 wrote to memory of 1836	2988	iexplore.exe	44
PID 2052 wrote to memory of 2396	2052	expand.exe	45
PID 2052 wrote to memory of 2396	2052	expand.exe	45
PID 2052 wrote to memory of 2396	2052	expand.exe	45
PID 2052 wrote to memory of 2396	2052	expand.exe	45
PID 2052 wrote to memory of 1088	2052	expand.exe	47
PID 2052 wrote to memory of 1088	2052	expand.exe	47
PID 2052 wrote to memory of 1088	2052	expand.exe	47
PID 2052 wrote to memory of 1088	2052	expand.exe	47
PID 1088 wrote to memory of 1812	1088	cmd.exe	49
PID 1088 wrote to memory of 1812	1088	cmd.exe	49
PID 1088 wrote to memory of 1812	1088	cmd.exe	49
PID 1088 wrote to memory of 604	1088	cmd.exe	50
PID 1088 wrote to memory of 604	1088	cmd.exe	50
PID 1088 wrote to memory of 604	1088	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe
"C:\Users\Admin\AppData\Local\Temp\fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Roaming\{0FB3C083-DBC2-04E3-36AB-7D13DD964B1E}\expand.exe
  "C:\Users\Admin\AppData\Roaming\{0FB3C083-DBC2-04E3-36AB-7D13DD964B1E}\expand.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1256
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:2100
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:2396
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "expand.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{0FB3C083-DBC2-04E3-36AB-7D13DD964B1E}\expand.exe" > NUL
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "expand.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1812
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:604
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe" > NUL
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2160

C:\Windows\system32\taskeng.exe
taskeng.exe {766D71AA-23B7-40A0-88A9-B31F16D94BC1} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Roaming\{0FB3C083-DBC2-04E3-36AB-7D13DD964B1E}\expand.exe
  C:\Users\Admin\AppData\Roaming\{0FB3C083-DBC2-04E3-36AB-7D13DD964B1E}\expand.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:3020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2988 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1836

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f3e8fc80654cfed9f66cf762a4c7c21

SHA1
95ee7fc8216cd26bd503e3679898aa241df0dbba

SHA256
7858097cf2423dba31da00e1e1fb1af65d4a985d283076b6117218847434dc27

SHA512
d1b2ab42d7ec27ed18c1f865cb32e2c93d11c8f010696d2812ac5fb10ffa61c4da97095e0ca7b88a5b2724d05fff46ceab6be2144638cf05ac81905af276c88b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af0eb69eb02778e915d36351e7fd61c9

SHA1
a1e2a7c5a7e7421c085905db3019439416f94197

SHA256
92b07d5e7389d3b0fd09abe156d818ed8884c39ee98c3b3496f17be218e56f94

SHA512
91a895403e503667c3e54d2fff4c8c1b13d1fb93fa6e4b00a59418c32ba932b5f16c069f3f5b242cbff42569ff8417afef02919147a39f4d6e5113ae11f02158

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a2eec03cae4119e45501fabd1a1a511

SHA1
a3c5b2dc5cb6a1456f6fcfa6c5909e2aa314705d

SHA256
e38af88f4428a320636a9a1af228098b23cdc575ddd5e71aec7c2f7504694cc2

SHA512
71132dd91f389a44ea0b2aa6eb1e64feb5922332068c9223ff9dbaf16a0952c59013923d1c2f92143aed292f1708826e026696bb0ba29a87deaf44019bc684d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69c9c081dca603954e2b05d41993cf59

SHA1
4c6c9471da4d19d38f6ff2bd984d025033452375

SHA256
5fe56894995f769110c013b5685ed210dc065c94b8dddbe44f39df111502f0ef

SHA512
0e0a27e2a89a3c5369dd86f8713e9cae085c1f27189cd5431f2469bdef8a591c1003e115233cee15981e1fc81819bc4431fe8848bfd8903f0e03b0f20a7856b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b57500342b3d39acb676b818f97fd82

SHA1
455165b34d091cd0c34df86c29d9e5975554eb95

SHA256
56ecbfc9a075f02e8d7ba156ff34ce58e3be3da2795ed9256bad5af8f6e6c370

SHA512
5336f59367dcc4c3ecb7154c1783d33c81bbc8202db9fabf31b2eebacbcf2f928a3074668d9c183ab8857d7cbbfcb36937242748b478dedef58f2eb98bafd48a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba25f32103ae129869f81e87a495f3db

SHA1
1eb98419c8c2c58b36a65c841ed2a085056933d9

SHA256
adea9d5b3af9a2ba04398c11d4a1372f601ee369c01491ba2127239dbe9896f1

SHA512
085304d63a7b6ac1df6288c12c2a4f2114c451f7e470be8f78d7da351e5001a89b4d39bc35baecca04c48849472f12075bc036a34b9495960493cb2a364c879f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a75f99aedccb078f1378b6a34006389

SHA1
4c77db2bd9cdb60e9b9dc5948af81096b8515b4a

SHA256
0b52bb9bbe1149c8eb1c491a47167ea1c98c0bc424006157c1d956ee5660e273

SHA512
33f2c23a22d018f91e65b7cda892aa2a2fe7271dba3d5fee53ccaa1ad4df16940dcf43bbef80a29c6da8f86c43ef965f9b9e479945f589d890f8388c2872f565

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50ba995867961b81fcf11064a6b0cbff

SHA1
ffc7f38896ab1812e6b40ceaa891311ac37b6d5f

SHA256
9a731dd565d806ed3644e7daa30da3c7deda6e45548dd956fccf87ca47abbe92

SHA512
fd1536c15ba6e1f2b2454365704315bbe73a9a23ef81edf60d8e4062c660a1917c96a6893f1c962362daa1225f7eedf1e63b9a2283604d59c34ee415a2fcd644

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f86be057140f26bed891fa69804e6df1

SHA1
bddefc96ca0bf2acc171d297e0c15bca5f22171d

SHA256
00ce96d7338f5fa48ae26bd6aaca0f992b0aabccb34edba205de66fcab89cb9d

SHA512
f500f13c09307991e69eef9a31c91978bc677486a6b09ee4b0d6fd8048533771de6d4eacd2a1fdb09e28c368da9780e5d8d117f579a4c52281cac58170770b88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d65c69386cf72fa6b5004b8a8bf937d

SHA1
a0bec025457ab2d6dca75253b723a45f7f30aadc

SHA256
7808ed74643a76c79aaa5fa8d2a6dca3d498aa2fb29dad20bae8ab70be269420

SHA512
d1f781e89ce8cd2a4ad24d62c2c160c559b241c3c1e5fa6fa70cea9f76a6a8280bd8611babc39b7de30b8ad4c5cbbd5147016616f3cc1781211809251f7019e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b65e582d1c90c0d9c5400a3aad81420

SHA1
019193651eea8aaa3b27500083f106832b1e36b2

SHA256
d389785b409609734371797be364807c9bb9c532ba39553bac346373d3af8d60

SHA512
101e10b89925d8af42d96a094b989c3f7378fb727c72432a7569f12089cd6421782c13994128fa674e6cc133744bda8aecedc2089e4c651d01d2879751235854

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F45F0E01-CC9E-11EF-A540-C28ADB222BBA}.dat

Filesize
4KB

MD5
7e40e72d17bb268f4467760ec55dea74

SHA1
82446a7d6cbb50a31e550f965fb70fc35940d1fe

SHA256
21b51de0966c759f6d7ccdd9edc3a4662e78ca28b507fbd3a791fdce9de5613b

SHA512
73d3caffac317a6c96e71754ea49f72227b118fd7ac1d77e9035433992d726ec6f031967e9e7ae50a2f14d1962397a44ffda2c14357caecc3870f3d04cfe5f51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F46AF4E1-CC9E-11EF-A540-C28ADB222BBA}.dat

Filesize
5KB

MD5
777851f97b532eab74009b5a7e41f072

SHA1
7a16f5820310cd442d255f992642e68b4cefa98d

SHA256
1dde14d16c541944ba14691698eb03dbebfe9f21ede41d8c5778b8d8898f31d3

SHA512
a95ee4f65d676d549fe46fd921f8c0e4831b97de9eda29a6ace1649e0a9ac7e7e9da07182c8cb2b5e9bb1d71ed1d03dd06fe6e4e4498a98faa2c6422d89ac751

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4E9F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4F00.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.html

Filesize
19KB

MD5
591e3e3f8b979af27c5f9976624a788a

SHA1
7cacddfb92862c5523c39f9f0d8336fec268253e

SHA256
2d1ffcfcf262bfffb2d0da71c0ea1546505a9f27ed07b4861537b101fd701831

SHA512
8383e6b07465030dfa2f2ab1c19c04d39372b860b66b6eba9c65ee54ca031f68c699ea595835eeeabb2c964b891d31e7bde2768a4d376f04e50e6be8461b3ae3

Download Submit
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
4f18dad2f65051cf69a1d948ee4cf910

SHA1
7f292f68ba52d64668f37f3acc3de4d6bd6f46c2

SHA256
9ca6f4ea9a1b301a86c314be05b32c764b7ef55e42b57dd9f52d9de8fad0df0d

SHA512
f486d58861513bdd1932f24ef8015d1106684665acbac4b7cab166d5ef63b52461532f6fb32afee6c5661dd3eefa8f0a8b3f74ea5082db4ad6219ab1f5d42def

Download Submit
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.url

Filesize
88B

MD5
bdd8c37b1087f50df57785d650b14612

SHA1
8e9dfc5dba89cdbeb753ec5b1347575b3d32b145

SHA256
278d50cc2cb82845e56ae2dfc9a6ddd3a7b5355b2848a47b8e894e25c04f80e2

SHA512
6fed56ea695bd6c7d45913fce4cc3a7b675e6a847dda9596acc5468dabdf7869f1a4ae3fe0ac9b093c6a6e5de6047594344082ac0d2cda4ca73a49249be83550

Download Submit
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.vbs

Filesize
246B

MD5
d3e80e1e6dffc81a2e72c05c9b482fc6

SHA1
bdcca42f5f612531bc5a4d14af649fa8a80bab34

SHA256
f7902386a8d4572575441be399933b81fa4a16090925ef49a3914cff256f806b

SHA512
3e5bfc95e0b3c80b6edf8d63157456f3a918d93db972ed4868539eabf63a1e737dbbb8d320e9f9e490d08aa7f7458bad67e8220f7df3e3f725b01b44b0564680

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\expand.lnk

Filesize
1KB

MD5
276abd64b9020529b33506a8e36844e2

SHA1
2733afb714001de12f8e9caf2fcd8d92738fb9fd

SHA256
dbbe3bf855f9c36ad2068dcb39f203596d736226ae6b44029a831f80851f4184

SHA512
15df00fb5010093e654145a171f315c2644b6308073c0126bde013cb1d740a137176f865f10d337259c583cc03b77b7a3a7cde27ef895f6ad99bcb96fb059f7b

Download Submit
C:\Users\Admin\AppData\Roaming\{0FB3C083-DBC2-04E3-36AB-7D13DD964B1E}\expand.exe

Filesize
395KB

MD5
9b55e3dbb34b1d422fe46487f42019a6

SHA1
ecc8ee4fe83f00d2b307a17ce4a323646aece2e0

SHA256
fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6

SHA512
8a0fca1dc36bf9053eab2a2c4e549e83e192b2b34e8ef814e031274d37157d13b2d02befb795195acb28af1a201a39dcb9356f2dad2187aaf4f5e86de051ae45

Download Submit
memory/2052-463-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2052-511-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2052-460-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2052-16-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2052-466-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2052-469-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2052-472-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2052-475-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2052-478-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2052-481-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2052-484-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2052-487-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2052-454-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2052-451-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2052-498-0x0000000005D80000-0x0000000005D82000-memory.dmp

Filesize
8KB

Download
memory/2052-457-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2052-448-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2052-445-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2052-442-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2052-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2052-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2052-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2052-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2068-19-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2068-0-0x00000000000B0000-0x00000000000D6000-memory.dmp

Filesize
152KB

Download
memory/2068-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2068-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3020-25-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3020-26-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download