cerber | 60767e516dcf017b6a446f383a87afda3ce002292866195bdcffb5c8e9dac0c9

Analysis

max time kernel
1805s
max time network
1706s
platform
windows10-2004_x64
resource
win10v2004-20220331-en
submitted
07-04-2022 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_41d87fa0c9244a9a098742155a862e4d.exe
Size

382KB
MD5

41d87fa0c9244a9a098742155a862e4d
SHA1

f80f8a9584fd4ec0a3e86f0a4bedd66bf204bcdc
SHA256

60767e516dcf017b6a446f383a87afda3ce002292866195bdcffb5c8e9dac0c9
SHA512

bed43d92325b572f9a1dde0f6088569679619b50d55f120b67b3db0c5dd3c1db604702881b0f7180f1a66069a9f0e2177b7bbd70af8e88da530563163afbd359

Score

10^/10

cerber discovery persistence ransomware spyware stealer suricata

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://4kqd3hmqgptupi3p.xkfi59.top/4822-A8B7-5FD2-0042-F8CC" target="_blank">http://4kqd3hmqgptupi3p.xkfi59.top/4822-A8B7-5FD2-0042-F8CC</a></li> <li><a href="http://4kqd3hmqgptupi3p.sdfiso.win/4822-A8B7-5FD2-0042-F8CC" target="_blank">http://4kqd3hmqgptupi3p.sdfiso.win/4822-A8B7-5FD2-0042-F8CC</a></li> <li><a href="http://4kqd3hmqgptupi3p.wins4n.win/4822-A8B7-5FD2-0042-F8CC" target="_blank">http://4kqd3hmqgptupi3p.wins4n.win/4822-A8B7-5FD2-0042-F8CC</a></li> <li><a href="http://4kqd3hmqgptupi3p.we34re.top/4822-A8B7-5FD2-0042-F8CC" target="_blank">http://4kqd3hmqgptupi3p.we34re.top/4822-A8B7-5FD2-0042-F8CC</a></li> <li><a href="http://4kqd3hmqgptupi3p.onion.to/4822-A8B7-5FD2-0042-F8CC" target="_blank">http://4kqd3hmqgptupi3p.onion.to/4822-A8B7-5FD2-0042-F8CC</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://4kqd3hmqgptupi3p.xkfi59.top/4822-A8B7-5FD2-0042-F8CC" target="_blank">http://4kqd3hmqgptupi3p.xkfi59.top/4822-A8B7-5FD2-0042-F8CC</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://4kqd3hmqgptupi3p.xkfi59.top/4822-A8B7-5FD2-0042-F8CC" target="_blank">http://4kqd3hmqgptupi3p.xkfi59.top/4822-A8B7-5FD2-0042-F8CC</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://4kqd3hmqgptupi3p.xkfi59.top/4822-A8B7-5FD2-0042-F8CC" target="_blank">http://4kqd3hmqgptupi3p.xkfi59.top/4822-A8B7-5FD2-0042-F8CC</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://4kqd3hmqgptupi3p.onion/4822-A8B7-5FD2-0042-F8CC in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://4kqd3hmqgptupi3p.xkfi59.top/4822-A8B7-5FD2-0042-F8CC | | 2. http://4kqd3hmqgptupi3p.sdfiso.win/4822-A8B7-5FD2-0042-F8CC | | 3. http://4kqd3hmqgptupi3p.wins4n.win/4822-A8B7-5FD2-0042-F8CC | | 4. http://4kqd3hmqgptupi3p.we34re.top/4822-A8B7-5FD2-0042-F8CC | | 5. http://4kqd3hmqgptupi3p.onion.to/4822-A8B7-5FD2-0042-F8CC |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://4kqd3hmqgptupi3p.xkfi59.top/4822-A8B7-5FD2-0042-F8CC); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://4kqd3hmqgptupi3p.xkfi59.top/4822-A8B7-5FD2-0042-F8CC appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://4kqd3hmqgptupi3p.xkfi59.top/4822-A8B7-5FD2-0042-F8CC); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://4kqd3hmqgptupi3p.onion/4822-A8B7-5FD2-0042-F8CC | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://4kqd3hmqgptupi3p.xkfi59.top/4822-A8B7-5FD2-0042-F8CC

http://4kqd3hmqgptupi3p.sdfiso.win/4822-A8B7-5FD2-0042-F8CC

http://4kqd3hmqgptupi3p.wins4n.win/4822-A8B7-5FD2-0042-F8CC

http://4kqd3hmqgptupi3p.we34re.top/4822-A8B7-5FD2-0042-F8CC

http://4kqd3hmqgptupi3p.onion.to/4822-A8B7-5FD2-0042-F8CC

http://4kqd3hmqgptupi3p.onion/4822-A8B7-5FD2-0042-F8CC

Extracted

Path

C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

Ransom Note

C E R B E R R A N S O M W A R E Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. What is encryption? Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. Everything is clear for me but what should I do? The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: decrypt all your files; work with your documents; view your photos and other media; continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. There is a list of temporary addresses to go on your personal page below: http://4kqd3hmqgptupi3p.xkfi59.top/4822-A8B7-5FD2-0042-F8CC http://4kqd3hmqgptupi3p.sdfiso.win/4822-A8B7-5FD2-0042-F8CC http://4kqd3hmqgptupi3p.wins4n.win/4822-A8B7-5FD2-0042-F8CC http://4kqd3hmqgptupi3p.we34re.top/4822-A8B7-5FD2-0042-F8CC http://4kqd3hmqgptupi3p.onion.to/4822-A8B7-5FD2-0042-F8CC What should you do with these addresses? If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): take a look at the first address (in this case it is http://4kqd3hmqgptupi3p.xkfi59.top/4822-A8B7-5FD2-0042-F8CC); select it with the mouse cursor holding the left mouse button and moving the cursor to the right; release the left mouse button and press the right one; select "Copy" in the appeared menu; run your Internet browser (if you do not know what it is run the Internet Explorer); move the mouse cursor to the address bar of the browser (this is the place where the site address is written); click the right mouse button in the field where the site address is written; select the button "Insert" in the appeared menu; then you will see the address http://4kqd3hmqgptupi3p.xkfi59.top/4822-A8B7-5FD2-0042-F8CC appeared there; press ENTER; the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: click the left mouse button on the first address (in this case it is http://4kqd3hmqgptupi3p.xkfi59.top/4822-A8B7-5FD2-0042-F8CC); in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: run your Internet browser (if you do not know what it is run the Internet Explorer); enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; wait for the site loading; on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; run Tor Browser; connect with the button "Connect" (if you use the English version); a normal Internet browser window will be opened after the initialization; type or copy the address http://4kqd3hmqgptupi3p.onion/4822-A8B7-5FD2-0042-F8CC in this browser address bar; press ENTER; the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://4kqd3hmqgptupi3p.xkfi59.top/4822-A8B7-5FD2-0042-F8CC

http://4kqd3hmqgptupi3p.sdfiso.win/4822-A8B7-5FD2-0042-F8CC

http://4kqd3hmqgptupi3p.wins4n.win/4822-A8B7-5FD2-0042-F8CC

http://4kqd3hmqgptupi3p.we34re.top/4822-A8B7-5FD2-0042-F8CC

http://4kqd3hmqgptupi3p.onion.to/4822-A8B7-5FD2-0042-F8CC

http://4kqd3hmqgptupi3p.onion/4822-A8B7-5FD2-0042-F8CC

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (5)
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (5)
suricata
Contacts a large (16429) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\\esentutl.exe\""	esentutl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\\esentutl.exe\""	VirusShare_41d87fa0c9244a9a098742155a862e4d.exe

Executes dropped EXE 5 IoCs

pid	Process
3108	esentutl.exe
2648	esentutl.exe
4556	esentutl.exe
1844	esentutl.exe
1656	esentutl.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\InstallRemove.tiff	esentutl.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	esentutl.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\esentutl.lnk	esentutl.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\esentutl.lnk	VirusShare_41d87fa0c9244a9a098742155a862e4d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\esentutl = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\\esentutl.exe\""	esentutl.exe
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\esentutl = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\\esentutl.exe\""	VirusShare_41d87fa0c9244a9a098742155a862e4d.exe
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	VirusShare_41d87fa0c9244a9a098742155a862e4d.exe
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Windows\CurrentVersion\Run	esentutl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\esentutl = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\\esentutl.exe\""	esentutl.exe
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	esentutl.exe
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Windows\CurrentVersion\Run	VirusShare_41d87fa0c9244a9a098742155a862e4d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\esentutl = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\\esentutl.exe\""	VirusShare_41d87fa0c9244a9a098742155a862e4d.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp3EB0.bmp"	esentutl.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\67188d42-a33f-4caa-bf73-6c664c1d4106.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220407212641.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
760	taskkill.exe
2120	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\Desktop	VirusShare_41d87fa0c9244a9a098742155a862e4d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\\esentutl.exe\""	VirusShare_41d87fa0c9244a9a098742155a862e4d.exe
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\Desktop	esentutl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\\esentutl.exe\""	esentutl.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000_Classes\Local Settings	esentutl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5080	PING.EXE
772	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe
3108	esentutl.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4896	VirusShare_41d87fa0c9244a9a098742155a862e4d.exe
Token: SeDebugPrivilege	760	taskkill.exe
Token: SeDebugPrivilege	3108	esentutl.exe
Token: SeDebugPrivilege	2648	esentutl.exe
Token: SeDebugPrivilege	4556	esentutl.exe
Token: SeDebugPrivilege	1844	esentutl.exe
Token: SeDebugPrivilege	1656	esentutl.exe
Token: 33	4080	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4080	AUDIODG.EXE
Token: SeDebugPrivilege	2120	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
448	msedge.exe
448	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 3108	4896	VirusShare_41d87fa0c9244a9a098742155a862e4d.exe	82
PID 4896 wrote to memory of 3108	4896	VirusShare_41d87fa0c9244a9a098742155a862e4d.exe	82
PID 4896 wrote to memory of 3108	4896	VirusShare_41d87fa0c9244a9a098742155a862e4d.exe	82
PID 4896 wrote to memory of 4084	4896	VirusShare_41d87fa0c9244a9a098742155a862e4d.exe	83
PID 4896 wrote to memory of 4084	4896	VirusShare_41d87fa0c9244a9a098742155a862e4d.exe	83
PID 4896 wrote to memory of 4084	4896	VirusShare_41d87fa0c9244a9a098742155a862e4d.exe	83
PID 4084 wrote to memory of 760	4084	cmd.exe	85
PID 4084 wrote to memory of 760	4084	cmd.exe	85
PID 4084 wrote to memory of 760	4084	cmd.exe	85
PID 4084 wrote to memory of 5080	4084	cmd.exe	86
PID 4084 wrote to memory of 5080	4084	cmd.exe	86
PID 4084 wrote to memory of 5080	4084	cmd.exe	86
PID 3108 wrote to memory of 448	3108	esentutl.exe	110
PID 3108 wrote to memory of 448	3108	esentutl.exe	110
PID 3108 wrote to memory of 4748	3108	esentutl.exe	111
PID 3108 wrote to memory of 4748	3108	esentutl.exe	111
PID 448 wrote to memory of 3216	448	msedge.exe	112
PID 448 wrote to memory of 3216	448	msedge.exe	112
PID 3108 wrote to memory of 656	3108	esentutl.exe	114
PID 3108 wrote to memory of 656	3108	esentutl.exe	114
PID 656 wrote to memory of 1272	656	msedge.exe	115
PID 656 wrote to memory of 1272	656	msedge.exe	115
PID 3108 wrote to memory of 4556	3108	esentutl.exe	116
PID 3108 wrote to memory of 4556	3108	esentutl.exe	116
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 448 wrote to memory of 2292	448	msedge.exe	121
PID 656 wrote to memory of 796	656	msedge.exe	120
PID 656 wrote to memory of 796	656	msedge.exe	120
PID 656 wrote to memory of 796	656	msedge.exe	120
PID 656 wrote to memory of 796	656	msedge.exe	120
PID 656 wrote to memory of 796	656	msedge.exe	120
PID 656 wrote to memory of 796	656	msedge.exe	120
PID 656 wrote to memory of 796	656	msedge.exe	120
PID 656 wrote to memory of 796	656	msedge.exe	120

C:\Users\Admin\AppData\Local\Temp\VirusShare_41d87fa0c9244a9a098742155a862e4d.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_41d87fa0c9244a9a098742155a862e4d.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Roaming\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\esentutl.exe
  "C:\Users\Admin\AppData\Roaming\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\esentutl.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Modifies extensions of user files
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeeb9546f8,0x7ffeeb954708,0x7ffeeb954718
      4⤵
      PID:3216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
      4⤵
      PID:2292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
      4⤵
      PID:5080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
      4⤵
      PID:4224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
      4⤵
      PID:2860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
      4⤵
      PID:548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
      4⤵
      PID:1372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
      4⤵
      PID:1612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
      4⤵
      PID:1872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
      4⤵
      PID:4608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
      4⤵
      PID:4796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5824 /prefetch:8
      4⤵
      PID:3916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5560 /prefetch:8
      4⤵
      PID:4160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
      4⤵
      PID:1620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6852 /prefetch:8
      4⤵
      PID:4704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:3492
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x208,0x22c,0x7ff6a7645460,0x7ff6a7645470,0x7ff6a7645480
        5⤵
        
        PID:4652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6852 /prefetch:8
      4⤵
      PID:1656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1808 /prefetch:1
      4⤵
      PID:4744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:8
      4⤵
      PID:4064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1976 /prefetch:1
      4⤵
      PID:5064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6308 /prefetch:2
      4⤵
      PID:4984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4808 /prefetch:8
      4⤵
      PID:2028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6512 /prefetch:8
      4⤵
      PID:2148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1332 /prefetch:8
      4⤵
      PID:3488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4972 /prefetch:8
      4⤵
      PID:2856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4964 /prefetch:8
      4⤵
      PID:4380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5008 /prefetch:8
      4⤵
      PID:5036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4924 /prefetch:8
      4⤵
      PID:984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
      4⤵
      PID:4068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11089579506099236616,16084255635423358727,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
      4⤵
      PID:3740
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:4748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://4kqd3hmqgptupi3p.xkfi59.top/4822-A8B7-5FD2-0042-F8CC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x9c,0x104,0x7ffeeb9546f8,0x7ffeeb954708,0x7ffeeb954718
      4⤵
      PID:1272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,11165063804163193649,13967934995742303552,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
      4⤵
      PID:796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,11165063804163193649,13967934995742303552,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
      4⤵
      PID:360
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:4556
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "esentutl.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\esentutl.exe" > NUL
    3⤵
    PID:1300
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "esentutl.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2120
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:772
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_41d87fa0c9244a9a098742155a862e4d.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_41d87fa0c9244a9a098742155a862e4d.exe" > NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_41d87fa0c9244a9a098742155a862e4d.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:5080

C:\Users\Admin\AppData\Roaming\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\esentutl.exe
C:\Users\Admin\AppData\Roaming\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\esentutl.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Users\Admin\AppData\Roaming\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\esentutl.exe
C:\Users\Admin\AppData\Roaming\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\esentutl.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Users\Admin\AppData\Roaming\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\esentutl.exe
C:\Users\Admin\AppData\Roaming\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\esentutl.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Users\Admin\AppData\Roaming\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\esentutl.exe
C:\Users\Admin\AppData\Roaming\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\esentutl.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Network Service Scanning

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fa0f335aed03f37d107743b53054938f

SHA1
92e70323951fadecbf01b0083ff1f8467aeb2267

SHA256
8ed2ab6926b7c652ab59ef69acdd13e08031e7c24c59e19ed2de299a69dae743

SHA512
7538bac51ee819c886f987d627d9535cd835475a16f4a8d4bc101873ce55a6d3ed9569a0a763ca58bc732c215d67d2876c38c8bc6787c28ef1d67f44c39adc28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fa0f335aed03f37d107743b53054938f

SHA1
92e70323951fadecbf01b0083ff1f8467aeb2267

SHA256
8ed2ab6926b7c652ab59ef69acdd13e08031e7c24c59e19ed2de299a69dae743

SHA512
7538bac51ee819c886f987d627d9535cd835475a16f4a8d4bc101873ce55a6d3ed9569a0a763ca58bc732c215d67d2876c38c8bc6787c28ef1d67f44c39adc28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fa0f335aed03f37d107743b53054938f

SHA1
92e70323951fadecbf01b0083ff1f8467aeb2267

SHA256
8ed2ab6926b7c652ab59ef69acdd13e08031e7c24c59e19ed2de299a69dae743

SHA512
7538bac51ee819c886f987d627d9535cd835475a16f4a8d4bc101873ce55a6d3ed9569a0a763ca58bc732c215d67d2876c38c8bc6787c28ef1d67f44c39adc28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c1556a561a27904fd20a49c300482d51

SHA1
6e3965ff50e8e7d1e96a2d45e4dfc1ca5755aa33

SHA256
b101d260d9fcd242c4216d9890383b23fc4e70ef68bedcd92ce5b7c5e0bbe9c4

SHA512
55b8ac257b7a75115be004b9a2e1763869cf3a2e9d71c637bbbc804db88724c436bdef21385712df9f7aa839e246a74270fbbad1785584fe17843f9421c61372

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
818cb1d6565ee8918263105ae52e082d

SHA1
d945ae4c84bea0762fac91707af1d255280648e2

SHA256
e874fdba0c2fc9529114a3fc17c9393faaa06be44a6939e224fed79f2c62e3c1

SHA512
29e3b4176c78e8b2810d16cc790a3e89d51bcf93f6d78485e9b836826956f0d730e1d57f8b16cc7ae21074a197c754a64028cd5ff62987168dbe960aab17f2fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Advertising

Filesize
24KB

MD5
4e9962558e74db5038d8073a5b3431aa

SHA1
3cd097d9dd4b16a69efbb0fd1efe862867822146

SHA256
6f81212bd841eca89aa6f291818b4ad2582d7cdb4e488adea98261494bdcd279

SHA512
fcd76bca998afc517c87de0db6ee54e45aa2263fa7b91653ac3adb34c41f3681fbe19d673ae9b24fdf3d53f5af4e4968e603a1eb557207f8860ac51372026b2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Analytics

Filesize
4KB

MD5
fad197d6ffd32d1268b9e7e8d13ab32a

SHA1
b0129887a75965bb2ef56a2c39d3231e5b87265d

SHA256
4e446af739e1a06b48a73607e9441bc4aa34ceafd808ff845864408179a4d2c3

SHA512
01d9f588bfa315e316ff0ff4a15a0a49144fd77ee89960882cd528d7f7a277b086667cea2357c3ca2bd16a2b3f4aeb7fcaf473501b499101be68acbe1e0126cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\CompatExceptions

Filesize
660B

MD5
900263477e1368869fbf1be99990c878

SHA1
e56e199aa4119f3cc4c4d46f96daea89bbf9685a

SHA256
7f660d9db521646e9c6510d844b6c6ea26716b620c46f34edaf7ce318a9473e4

SHA512
1035b388b4b00c744824d13c5ef48118d88abbb53e9d76896a2d96a2a127a7739c119e781d7d5f0b8d910e10539c0c502c9f937fc2487747c65e7285f4b1e6d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Content

Filesize
6KB

MD5
94c183b842784d0ae69f8aa57c8ac015

SHA1
c5b1ebc2b5c140ccbb21cd377ca18f3c5d0b80cd

SHA256
aa5c4d50684aa478d5982e509cbf1f8347fbc9cc75cb847d54915c16c3a33d25

SHA512
5808ddb81657acf4712fa845c95aacbab32a414ffda3b9d1218637e2d53bd3e0d6b95c872779ead6eaa13b4d2d563494ad5587337958bd17f1e791fad5d822fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Cryptomining

Filesize
1KB

MD5
8c31feb9c3faaa9794aa22ce9f48bfbd

SHA1
f5411608a15e803afc97961b310bb21a6a8bd5b6

SHA256
6016fd3685046b33c7a2b1e785ac757df20e7c760abe0c27e1b8b0294222421d

SHA512
ba4b5886c04ba8f7a7dbb87e96d639783a5969a245de181cf620b8f536e3ac95bbd910cd2f1f6aae6c3cd70fc1ef6209dc10d2b083ec51861b51d83f95811baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Entities

Filesize
68KB

MD5
0d37c9d98f35f2c6524bd9b874ec93ed

SHA1
87d2d1149db8a1c2d91bc8d2d6e2827d2d8850f5

SHA256
19ce05d2716fae5d0d6e2067a7a624c0fa7f8b02486d9469861fd30cf1c499ac

SHA512
68e73804a144cbe7287c2136ab1986c4e2a97c497d5bfd36ef5db0f1fb1b4a28839d63d83019082ce61af9b42853934888ce05d6b28350742776b97fa310a575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Fingerprinting

Filesize
1KB

MD5
b51076d21461e00fcbf3dbd2c9e96b2b

SHA1
31311536cf570f2f9c88d21f03a935ac6e233231

SHA256
21a8d3e85d76761a1aab9dca765efef5dfa08d49db037befd91833e4639dd993

SHA512
3e193220ddddc47ecea32a2f777e55faa12c7a8052323455c8d7a89c01048155c77ae009fd0f5bebea89f1fae4a88b6b3ceca4e808064f474ea5b3a9497598cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Other

Filesize
34B

MD5
cd0395742b85e2b669eaec1d5f15b65b

SHA1
43c81d1c62fc7ff94f9364639c9a46a0747d122e

SHA256
2b4a47b82cbe70e34407c7df126a24007aff8b45d5716db384d27cc1f3b30707

SHA512
4df2ce734e2f7bc5f02bb7845ea801b57dcf649565dd94b1b71f578b453ba0a17c61ccee73e7cff8f23cdd6aa37e55be5cb15f4767ff88a9a06de3623604fbf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Social

Filesize
999B

MD5
152b745da17397ed5a2f3059bb157600

SHA1
47bf4e575ba1acf47dcc99f1800f753b4cc65ef6

SHA256
ef994058a637f7b1b47c31c8670977084d1f86cc21a196920aa87f8ed31e98e8

SHA512
4984a8a46eb452b3c62f2c2ca8c9d999de37c39895ad9a9ed91d12a7731b1cd227f335829f7a6927f19cd8bf4dd7d6749fc853461a46fc97853d5b9e23171d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Advertising

Filesize
459B

MD5
d024831cae8599f0edee70275d99e843

SHA1
69e08b543802b130da5305cbb0140bda5601079c

SHA256
0b75817b9ce2164f52e537c66bbff0fe53024bf9a00fb193efd63fe48f34a978

SHA512
ee1096446f6a17bc3fde9aadb418ca4b2db5132cdde1e429300487aaf4d8b9865a3bbc95d3a3198cde137a6395f69c035b74a72f74edc22a490bccc3320b0b03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Analytics

Filesize
50B

MD5
4cefbb980962973a354915a49d1b0f4d

SHA1
1d20148cab5cdadb85fad6041262584a12c2745d

SHA256
66de8db363de02974a1471153112e51f014bb05936ce870c433fd9a85b34455a

SHA512
6a088bbc6c40454165ddee3183667d2997dca5fcc8312f69e3c2397e61255e49b5146b24c2c64cd3c8867289e3abfdf1155e47722fdd8276f96d51e8f311d4b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Content

Filesize
36B

MD5
7f077f40c2d1ce8e95faa8fdb23ed8b4

SHA1
2c329e3e20ea559974ddcaabc2c7c22de81e7ad2

SHA256
bda08f8b53c121bbc03da1f5c870c016b06fa620a2c02375988555dd12889cdf

SHA512
c1fb5d40491ae22a155a9bd115c32cbe9dbcba615545af2f1a252475f9d59844763cd7c177f08277d8ef59e873b7d885fda17f2a504d9ec2c181d0f793cb542b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Cryptomining

Filesize
32B

MD5
4ec1eda0e8a06238ff5bf88569964d59

SHA1
a2e78944fcac34d89385487ccbbfa4d8f078d612

SHA256
696e930706b5d391eb8778f73b0627ffc2be7f6c9a3e7659170d9d37fc4a97b5

SHA512
c9b1ed7b61f26d94d7f5eded2d42d40f3e4300eee2319fe28e04b25cdb6dd92daf67828bff453bf5fc8d7b6ceb58cab319fc0daac9b0050e27a89efe74d2734e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Entities

Filesize
2KB

MD5
ba60431b366f83677a5bf1a2e4601799

SHA1
83f828c27de5429e25c38c36ba77e069d5c7b2de

SHA256
ab895ef5f75efd49dbb4fcdf7529e50ca622d13433e067bcf8a1f1127a944da3

SHA512
aa9ff0374fb3d4bff7ee5a78dd5ace340da4af1a844f453a40b2723a91b32e6e3f4bd736fb3f3cb210b016109660a7b5cc8440901c6bb410e61530286a4e0200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Fingerprinting

Filesize
110B

MD5
a004023825237dadc8f934758ff9eaf2

SHA1
c981a900b5ce63884635cedfe5ba722416021cb2

SHA256
3c4e82aae615a7bed985b4544afecb774b728df1cc9f7561ea25b97482119ef7

SHA512
e49667fca51a6497ccae9b881d679b857c025f2945ab93c9a6769b1c0a632329993daefab6eda9ed70a32a75630d7b3d93dda5acda8ff87ffe5f090ca7b35e4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Other

Filesize
75B

MD5
c6c7f3ee1e17acbff6ac22aa89b02e4e

SHA1
bdbd0220e54b80b3d2ffbbddadc89bfbb8e64a8b

SHA256
a2f9f27d6938a74979d34484bced535412969c2533dc694bfa667fe81d66d7d4

SHA512
86ed28ffdd00b4a397a20968792fcd30dd4a891a187a7789c00c88b64689b334a11fa087eb54ccee813c181cf891b43184dde7af9a6f33caed2a71e2c445a7b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Social

Filesize
35B

MD5
976b1cf7e3442f88cd8ba26d3f0965bb

SHA1
b75438dc71de4ac761d94a215ddbffadcd1225b0

SHA256
decde67630f29fc003cb1f2ccbd7371a05079985a9cce93ec93c4fadd8dc5541

SHA512
d0472fed72e1eb0a7747a693a0e654fbe92dd028db3cc42377810d90474dd4099ac981cca333eb52c18e75ed04a1f1f79f3bf5957fe8b16086f1252b3454b8d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Staging

Filesize
519B

MD5
9ca5eb41a53645be63d247ad8a9a7869

SHA1
2e98b04b5a2efb04d20bc7fe51b05c4e4841205b

SHA256
f67c58a61ddef715b01debc66ddc0e3c365295ac9870328f6b8bdbcb02a6b8c9

SHA512
7dd7d295ccce957490f025eef124b22c809f140a96003126b801bbbdd94eb2115ee59e7d16dd1f020b1d6eaaff66853b9de2cbf7092c1692f40dbe21ab346fd8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\esentutl.lnk

Filesize
1KB

MD5
ec8d4be2967728c95209c01e1c92facf

SHA1
95e07479a85be3cacf3739028bdd469fed866c1a

SHA256
e57a7962959b7ea6bdeeebe92942fa3783432f4390111bf5017e332000e6fe42

SHA512
ca859e25ee6cf5ec4e911cb1df524f9a049d46b8fde33922653edc0dc9fdb4e822f5879664875aa0f385c63ea5026621e8907db7693c75735c9542066239b5a0

Download Submit
C:\Users\Admin\AppData\Roaming\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\esentutl.exe

Filesize
382KB

MD5
41d87fa0c9244a9a098742155a862e4d

SHA1
f80f8a9584fd4ec0a3e86f0a4bedd66bf204bcdc

SHA256
60767e516dcf017b6a446f383a87afda3ce002292866195bdcffb5c8e9dac0c9

SHA512
bed43d92325b572f9a1dde0f6088569679619b50d55f120b67b3db0c5dd3c1db604702881b0f7180f1a66069a9f0e2177b7bbd70af8e88da530563163afbd359

Download Submit
C:\Users\Admin\AppData\Roaming\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\esentutl.exe

Filesize
382KB

MD5
41d87fa0c9244a9a098742155a862e4d

SHA1
f80f8a9584fd4ec0a3e86f0a4bedd66bf204bcdc

SHA256
60767e516dcf017b6a446f383a87afda3ce002292866195bdcffb5c8e9dac0c9

SHA512
bed43d92325b572f9a1dde0f6088569679619b50d55f120b67b3db0c5dd3c1db604702881b0f7180f1a66069a9f0e2177b7bbd70af8e88da530563163afbd359

Download Submit
C:\Users\Admin\AppData\Roaming\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\esentutl.exe

Filesize
382KB

MD5
41d87fa0c9244a9a098742155a862e4d

SHA1
f80f8a9584fd4ec0a3e86f0a4bedd66bf204bcdc

SHA256
60767e516dcf017b6a446f383a87afda3ce002292866195bdcffb5c8e9dac0c9

SHA512
bed43d92325b572f9a1dde0f6088569679619b50d55f120b67b3db0c5dd3c1db604702881b0f7180f1a66069a9f0e2177b7bbd70af8e88da530563163afbd359

Download Submit
C:\Users\Admin\AppData\Roaming\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\esentutl.exe

Filesize
382KB

MD5
41d87fa0c9244a9a098742155a862e4d

SHA1
f80f8a9584fd4ec0a3e86f0a4bedd66bf204bcdc

SHA256
60767e516dcf017b6a446f383a87afda3ce002292866195bdcffb5c8e9dac0c9

SHA512
bed43d92325b572f9a1dde0f6088569679619b50d55f120b67b3db0c5dd3c1db604702881b0f7180f1a66069a9f0e2177b7bbd70af8e88da530563163afbd359

Download Submit
C:\Users\Admin\AppData\Roaming\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\esentutl.exe

Filesize
382KB

MD5
41d87fa0c9244a9a098742155a862e4d

SHA1
f80f8a9584fd4ec0a3e86f0a4bedd66bf204bcdc

SHA256
60767e516dcf017b6a446f383a87afda3ce002292866195bdcffb5c8e9dac0c9

SHA512
bed43d92325b572f9a1dde0f6088569679619b50d55f120b67b3db0c5dd3c1db604702881b0f7180f1a66069a9f0e2177b7bbd70af8e88da530563163afbd359

Download Submit
C:\Users\Admin\AppData\Roaming\{6B045A80-4FC8-BA51-EC84-FDB59219BC98}\esentutl.exe

Filesize
382KB

MD5
41d87fa0c9244a9a098742155a862e4d

SHA1
f80f8a9584fd4ec0a3e86f0a4bedd66bf204bcdc

SHA256
60767e516dcf017b6a446f383a87afda3ce002292866195bdcffb5c8e9dac0c9

SHA512
bed43d92325b572f9a1dde0f6088569679619b50d55f120b67b3db0c5dd3c1db604702881b0f7180f1a66069a9f0e2177b7bbd70af8e88da530563163afbd359

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
9e0fea6fa3920ae064b087b05e2d5482

SHA1
c3cd6edf9d1a35cedf7f7e3ed434598e4f112cef

SHA256
3f5aea9cc0b930cc5a8a4a69c1554fdfe20e657abde882b35239e189af3029e8

SHA512
53aed7201e33a3fafd5d8d3bf4fc53df41c9343ea96aceaa064bdcafbe00b322a97a00c38da38c5a38479fa6baa7cb39b16908ec418d65039db6b4f3fa4fced5

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
cc3d970612743f91b10b5a1d4b1bd7b3

SHA1
6b32df489096d1bba4a5423633f676c0349c452c

SHA256
7e49b140c50cfa0ae060f9ad6a970f1c364431dd5da604d4db3c32b8d3e58ccd

SHA512
f61d074f48a9641ee79b1e16f9d1c9538e50e35138d8575e262f7147468749932aff5b6b51262c73c05c29035e413f4da1da378fb82672dfca6a5774d8323e94

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs

Filesize
231B

MD5
9d8c4bfbd009c4d6001e2125abaa8b02

SHA1
cd040558172b5fca5b200447a281843956243741

SHA256
a652297987f14317100f8c5f7eb26d1bc67eb8a64f0b39b72b5fd5046a9f29b0

SHA512
c4c84f43642b805a105acce9ebc9f01aa0e6ef553ea32be3f8b890fc7440f0b7d3ddf99b9336bce20ce7a3d9b9f6434a704651a8af425ffc8407ba39d5de735f

Download Submit
memory/796-159-0x00007FFEF0DD0000-0x00007FFEF0DD1000-memory.dmp

Filesize
4KB

Download
memory/1656-151-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1844-140-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2648-136-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3108-132-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4556-138-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4896-124-0x0000000000D10000-0x0000000000D31000-memory.dmp

Filesize
132KB

Download
memory/4896-125-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download