Analysis
-
max time kernel
151s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 12:57
Static task
static1
Behavioral task
behavioral1
Sample
392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe
Resource
win10v20210410
General
-
Target
392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe
-
Size
125KB
-
MD5
c4472cd02b1396ca49935f029db6a8ec
-
SHA1
fa4891fc8416a191d255fc186ef534d022d665e2
-
SHA256
392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270
-
SHA512
4a7463bc0a6a88d6eb7b2964b6212429ae8a7cd5f02abda2ecabecb1b2b374419fc48c4124386bdf184cef6f27ede998d245c3a0dbb97050e1639c7fb1a37ce5
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.onion.to/FAA9-7BEC-BA9A-0006-420A
http://cerberhhyed5frqa.onion.cab/FAA9-7BEC-BA9A-0006-420A
http://cerberhhyed5frqa.onion.nu/FAA9-7BEC-BA9A-0006-420A
http://cerberhhyed5frqa.onion.link/FAA9-7BEC-BA9A-0006-420A
http://cerberhhyed5frqa.tor2web.org/FAA9-7BEC-BA9A-0006-420A
http://cerberhhyed5frqa.onion/FAA9-7BEC-BA9A-0006-420A
Extracted
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
http://cerberhhyed5frqa.onion.to/FAA9-7BEC-BA9A-0006-420A
http://cerberhhyed5frqa.onion.cab/FAA9-7BEC-BA9A-0006-420A
http://cerberhhyed5frqa.onion.nu/FAA9-7BEC-BA9A-0006-420A
http://cerberhhyed5frqa.onion.link/FAA9-7BEC-BA9A-0006-420A
http://cerberhhyed5frqa.tor2web.org/FAA9-7BEC-BA9A-0006-420A
http://cerberhhyed5frqa.onion/FAA9-7BEC-BA9A-0006-420A
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
suricata: ET MALWARE Ransomware/Cerber Checkin 2
-
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (16)
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exeperfmon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C2C4B94B-D18B-6228-7B7A-A282CDB6F1A3}\\perfmon.exe\"" 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C2C4B94B-D18B-6228-7B7A-A282CDB6F1A3}\\perfmon.exe\"" perfmon.exe -
Executes dropped EXE 3 IoCs
Processes:
perfmon.exeperfmon.exeperfmon.exepid process 2804 perfmon.exe 3024 perfmon.exe 4028 perfmon.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
perfmon.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ConvertConnect.tiff perfmon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
perfmon.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation perfmon.exe -
Drops startup file 2 IoCs
Processes:
392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exeperfmon.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\perfmon.lnk 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\perfmon.lnk perfmon.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
perfmon.exe392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\perfmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C2C4B94B-D18B-6228-7B7A-A282CDB6F1A3}\\perfmon.exe\"" perfmon.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce perfmon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\perfmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C2C4B94B-D18B-6228-7B7A-A282CDB6F1A3}\\perfmon.exe\"" perfmon.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\perfmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C2C4B94B-D18B-6228-7B7A-A282CDB6F1A3}\\perfmon.exe\"" 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\perfmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C2C4B94B-D18B-6228-7B7A-A282CDB6F1A3}\\perfmon.exe\"" 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run perfmon.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
perfmon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp8185.bmp" perfmon.exe -
Drops file in Windows directory 1 IoCs
Processes:
MicrosoftEdge.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2728 taskkill.exe 4552 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exeperfmon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C2C4B94B-D18B-6228-7B7A-A282CDB6F1A3}\\perfmon.exe\"" 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop perfmon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C2C4B94B-D18B-6228-7B7A-A282CDB6F1A3}\\perfmon.exe\"" perfmon.exe -
Processes:
MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeperfmon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 9e317eea2182d701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{BAE618DE-2DD1-4E8B-A682-AF284BFD90C7} = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 301bd569d72dd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersion = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = 90d8edfc4182d701 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 301bd569d72dd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings perfmon.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 550a93fd2182d701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 36bee9ef2182d701 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = d0b590fd2182d701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a165e3ef2182d701 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main\OperationalData = "1" MicrosoftEdgeCP.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
perfmon.exepid process 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe 2804 perfmon.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
MicrosoftEdgeCP.exepid process 488 MicrosoftEdgeCP.exe 488 MicrosoftEdgeCP.exe 488 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exeperfmon.exetaskkill.exeperfmon.exeMicrosoftEdge.exeAUDIODG.EXEMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeperfmon.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2192 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe Token: SeDebugPrivilege 2804 perfmon.exe Token: SeDebugPrivilege 2728 taskkill.exe Token: SeDebugPrivilege 3024 perfmon.exe Token: SeDebugPrivilege 1988 MicrosoftEdge.exe Token: SeDebugPrivilege 1988 MicrosoftEdge.exe Token: SeDebugPrivilege 1988 MicrosoftEdge.exe Token: SeDebugPrivilege 1988 MicrosoftEdge.exe Token: 33 4232 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4232 AUDIODG.EXE Token: SeDebugPrivilege 1056 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1056 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1056 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1056 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3448 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3448 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3448 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3448 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4028 perfmon.exe Token: SeDebugPrivilege 4552 taskkill.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exepid process 1988 MicrosoftEdge.exe 488 MicrosoftEdgeCP.exe 488 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.execmd.exeperfmon.exeMicrosoftEdgeCP.execmd.exedescription pid process target process PID 2192 wrote to memory of 2804 2192 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe perfmon.exe PID 2192 wrote to memory of 2804 2192 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe perfmon.exe PID 2192 wrote to memory of 2804 2192 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe perfmon.exe PID 2192 wrote to memory of 2920 2192 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe cmd.exe PID 2192 wrote to memory of 2920 2192 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe cmd.exe PID 2192 wrote to memory of 2920 2192 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe cmd.exe PID 2920 wrote to memory of 2728 2920 cmd.exe taskkill.exe PID 2920 wrote to memory of 2728 2920 cmd.exe taskkill.exe PID 2920 wrote to memory of 2728 2920 cmd.exe taskkill.exe PID 2920 wrote to memory of 1808 2920 cmd.exe PING.EXE PID 2920 wrote to memory of 1808 2920 cmd.exe PING.EXE PID 2920 wrote to memory of 1808 2920 cmd.exe PING.EXE PID 2804 wrote to memory of 1444 2804 perfmon.exe NOTEPAD.EXE PID 2804 wrote to memory of 1444 2804 perfmon.exe NOTEPAD.EXE PID 2804 wrote to memory of 3032 2804 perfmon.exe WScript.exe PID 2804 wrote to memory of 3032 2804 perfmon.exe WScript.exe PID 488 wrote to memory of 1056 488 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 488 wrote to memory of 1056 488 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 488 wrote to memory of 3448 488 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 488 wrote to memory of 3448 488 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 488 wrote to memory of 3448 488 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 488 wrote to memory of 3448 488 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 488 wrote to memory of 3448 488 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 488 wrote to memory of 3448 488 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 2804 wrote to memory of 4508 2804 perfmon.exe cmd.exe PID 2804 wrote to memory of 4508 2804 perfmon.exe cmd.exe PID 4508 wrote to memory of 4552 4508 cmd.exe taskkill.exe PID 4508 wrote to memory of 4552 4508 cmd.exe taskkill.exe PID 4508 wrote to memory of 4660 4508 cmd.exe PING.EXE PID 4508 wrote to memory of 4660 4508 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe"C:\Users\Admin\AppData\Local\Temp\392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{C2C4B94B-D18B-6228-7B7A-A282CDB6F1A3}\perfmon.exe"C:\Users\Admin\AppData\Roaming\{C2C4B94B-D18B-6228-7B7A-A282CDB6F1A3}\perfmon.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "perfmon.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{C2C4B94B-D18B-6228-7B7A-A282CDB6F1A3}\perfmon.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "perfmon.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\{C2C4B94B-D18B-6228-7B7A-A282CDB6F1A3}\perfmon.exeC:\Users\Admin\AppData\Roaming\{C2C4B94B-D18B-6228-7B7A-A282CDB6F1A3}\perfmon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{C2C4B94B-D18B-6228-7B7A-A282CDB6F1A3}\perfmon.exeC:\Users\Admin\AppData\Roaming\{C2C4B94B-D18B-6228-7B7A-A282CDB6F1A3}\perfmon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x42c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\perfmon.lnkMD5
85607afcbd574c3f60c6948e01fa6a33
SHA148f3c5547a0f0857cf3d8d016983c0c44f1bc601
SHA2560d2a55d67f1c3b251dbdeb11909dc31dc83236cfbe04ba99fde04964064d362b
SHA51234dee59873bb510b5a4a05384065736053f50e91282f10f1afe2048056714c649847dbe057621b49630f7a06cd5a08fdacfc2cc0c28aadd8746e40524940e330
-
C:\Users\Admin\AppData\Roaming\{C2C4B94B-D18B-6228-7B7A-A282CDB6F1A3}\perfmon.exeMD5
c4472cd02b1396ca49935f029db6a8ec
SHA1fa4891fc8416a191d255fc186ef534d022d665e2
SHA256392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270
SHA5124a7463bc0a6a88d6eb7b2964b6212429ae8a7cd5f02abda2ecabecb1b2b374419fc48c4124386bdf184cef6f27ede998d245c3a0dbb97050e1639c7fb1a37ce5
-
C:\Users\Admin\AppData\Roaming\{C2C4B94B-D18B-6228-7B7A-A282CDB6F1A3}\perfmon.exeMD5
c4472cd02b1396ca49935f029db6a8ec
SHA1fa4891fc8416a191d255fc186ef534d022d665e2
SHA256392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270
SHA5124a7463bc0a6a88d6eb7b2964b6212429ae8a7cd5f02abda2ecabecb1b2b374419fc48c4124386bdf184cef6f27ede998d245c3a0dbb97050e1639c7fb1a37ce5
-
C:\Users\Admin\AppData\Roaming\{C2C4B94B-D18B-6228-7B7A-A282CDB6F1A3}\perfmon.exeMD5
c4472cd02b1396ca49935f029db6a8ec
SHA1fa4891fc8416a191d255fc186ef534d022d665e2
SHA256392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270
SHA5124a7463bc0a6a88d6eb7b2964b6212429ae8a7cd5f02abda2ecabecb1b2b374419fc48c4124386bdf184cef6f27ede998d245c3a0dbb97050e1639c7fb1a37ce5
-
C:\Users\Admin\AppData\Roaming\{C2C4B94B-D18B-6228-7B7A-A282CDB6F1A3}\perfmon.exeMD5
c4472cd02b1396ca49935f029db6a8ec
SHA1fa4891fc8416a191d255fc186ef534d022d665e2
SHA256392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270
SHA5124a7463bc0a6a88d6eb7b2964b6212429ae8a7cd5f02abda2ecabecb1b2b374419fc48c4124386bdf184cef6f27ede998d245c3a0dbb97050e1639c7fb1a37ce5
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.htmlMD5
e1f85f782daaa4d70913c0694f2c9976
SHA14cf7da07e6262b34a8175cf4cdaf53aa3a7af62e
SHA2566c6dfa157699bb0cf406b7c351d37827c2c5acc2997ed5c98e11adbe37f31341
SHA5125255dfbb2905921a05f601d091e9bea0aeca43618ce17784b9da66bd6e38b6791b02eb60ee603f01622e0baf99d6384c5beb2d5a7e7ec6cc088268a2f0660749
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txtMD5
939895a9203c45af63e8359d90e98691
SHA14f17627a8c72ef9e91e8425cbc6bafd16e54342b
SHA25687f79f20ad24f65b793d3005da932ffb2040a910b4459cad2a53a4dca45c3385
SHA5128009cf06164e5eb54da3b1ba41beb5980234c018cffdc4dd0c6ebe039254cf80bbeab4527721f0dc5613c407977b6137a67b24fdbdaa1d01a7d6cabff97778fb
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbsMD5
9d8c4bfbd009c4d6001e2125abaa8b02
SHA1cd040558172b5fca5b200447a281843956243741
SHA256a652297987f14317100f8c5f7eb26d1bc67eb8a64f0b39b72b5fd5046a9f29b0
SHA512c4c84f43642b805a105acce9ebc9f01aa0e6ef553ea32be3f8b890fc7440f0b7d3ddf99b9336bce20ce7a3d9b9f6434a704651a8af425ffc8407ba39d5de735f
-
memory/1444-123-0x0000000000000000-mapping.dmp
-
memory/1808-119-0x0000000000000000-mapping.dmp
-
memory/2728-118-0x0000000000000000-mapping.dmp
-
memory/2804-114-0x0000000000000000-mapping.dmp
-
memory/2920-117-0x0000000000000000-mapping.dmp
-
memory/3032-125-0x0000000000000000-mapping.dmp
-
memory/4508-132-0x0000000000000000-mapping.dmp
-
memory/4552-133-0x0000000000000000-mapping.dmp
-
memory/4660-134-0x0000000000000000-mapping.dmp