cerber | 27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

Analysis

max time kernel
1791s
max time network
1774s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
07-04-2022 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Size

186KB
MD5

8ec363843a850f67ebad036bb4d18efd
SHA1

ac856eb04ca1665b10bed5a1757f193ff56aca02
SHA256

27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8
SHA512

800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Score

10^/10

cerber discovery persistence ransomware spyware stealer suricata

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.zmvirj.top/7E15-35A0-9BAB-029E-D865" target="_blank">http://cerberhhyed5frqa.zmvirj.top/7E15-35A0-9BAB-029E-D865</a></li> <li><a href="http://cerberhhyed5frqa.qor499.top/7E15-35A0-9BAB-029E-D865" target="_blank">http://cerberhhyed5frqa.qor499.top/7E15-35A0-9BAB-029E-D865</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/7E15-35A0-9BAB-029E-D865" target="_blank">http://cerberhhyed5frqa.gkfit9.win/7E15-35A0-9BAB-029E-D865</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/7E15-35A0-9BAB-029E-D865" target="_blank">http://cerberhhyed5frqa.305iot.win/7E15-35A0-9BAB-029E-D865</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/7E15-35A0-9BAB-029E-D865" target="_blank">http://cerberhhyed5frqa.dkrti5.win/7E15-35A0-9BAB-029E-D865</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/7E15-35A0-9BAB-029E-D865" target="_blank">http://cerberhhyed5frqa.zmvirj.top/7E15-35A0-9BAB-029E-D865</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.zmvirj.top/7E15-35A0-9BAB-029E-D865" target="_blank">http://cerberhhyed5frqa.zmvirj.top/7E15-35A0-9BAB-029E-D865</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/7E15-35A0-9BAB-029E-D865" target="_blank">http://cerberhhyed5frqa.zmvirj.top/7E15-35A0-9BAB-029E-D865</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/7E15-35A0-9BAB-029E-D865 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.zmvirj.top/7E15-35A0-9BAB-029E-D865 | | 2. http://cerberhhyed5frqa.qor499.top/7E15-35A0-9BAB-029E-D865 | | 3. http://cerberhhyed5frqa.gkfit9.win/7E15-35A0-9BAB-029E-D865 | | 4. http://cerberhhyed5frqa.305iot.win/7E15-35A0-9BAB-029E-D865 | | 5. http://cerberhhyed5frqa.dkrti5.win/7E15-35A0-9BAB-029E-D865 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/7E15-35A0-9BAB-029E-D865); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.zmvirj.top/7E15-35A0-9BAB-029E-D865 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/7E15-35A0-9BAB-029E-D865); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/7E15-35A0-9BAB-029E-D865 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.zmvirj.top/7E15-35A0-9BAB-029E-D865

http://cerberhhyed5frqa.qor499.top/7E15-35A0-9BAB-029E-D865

http://cerberhhyed5frqa.gkfit9.win/7E15-35A0-9BAB-029E-D865

http://cerberhhyed5frqa.305iot.win/7E15-35A0-9BAB-029E-D865

http://cerberhhyed5frqa.dkrti5.win/7E15-35A0-9BAB-029E-D865

http://cerberhhyed5frqa.onion/7E15-35A0-9BAB-029E-D865

Extracted

Path

C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

Ransom Note

C E R B E R R A N S O M W A R E Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. What is encryption? Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. Everything is clear for me but what should I do? The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: decrypt all your files; work with your documents; view your photos and other media; continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. There is a list of temporary addresses to go on your personal page below: http://cerberhhyed5frqa.zmvirj.top/7E15-35A0-9BAB-029E-D865 http://cerberhhyed5frqa.qor499.top/7E15-35A0-9BAB-029E-D865 http://cerberhhyed5frqa.gkfit9.win/7E15-35A0-9BAB-029E-D865 http://cerberhhyed5frqa.305iot.win/7E15-35A0-9BAB-029E-D865 http://cerberhhyed5frqa.dkrti5.win/7E15-35A0-9BAB-029E-D865 What should you do with these addresses? If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): take a look at the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/7E15-35A0-9BAB-029E-D865); select it with the mouse cursor holding the left mouse button and moving the cursor to the right; release the left mouse button and press the right one; select "Copy" in the appeared menu; run your Internet browser (if you do not know what it is run the Internet Explorer); move the mouse cursor to the address bar of the browser (this is the place where the site address is written); click the right mouse button in the field where the site address is written; select the button "Insert" in the appeared menu; then you will see the address http://cerberhhyed5frqa.zmvirj.top/7E15-35A0-9BAB-029E-D865 appeared there; press ENTER; the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/7E15-35A0-9BAB-029E-D865); in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: run your Internet browser (if you do not know what it is run the Internet Explorer); enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; wait for the site loading; on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; run Tor Browser; connect with the button "Connect" (if you use the English version); a normal Internet browser window will be opened after the initialization; type or copy the address http://cerberhhyed5frqa.onion/7E15-35A0-9BAB-029E-D865 in this browser address bar; press ENTER; the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.zmvirj.top/7E15-35A0-9BAB-029E-D865

http://cerberhhyed5frqa.qor499.top/7E15-35A0-9BAB-029E-D865

http://cerberhhyed5frqa.gkfit9.win/7E15-35A0-9BAB-029E-D865

http://cerberhhyed5frqa.305iot.win/7E15-35A0-9BAB-029E-D865

http://cerberhhyed5frqa.dkrti5.win/7E15-35A0-9BAB-029E-D865

http://cerberhhyed5frqa.onion/7E15-35A0-9BAB-029E-D865

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (8)
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (8)
suricata
Contacts a large (16432) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{34495039-AF28-6032-7ADB-CDF051F76325}\\srdelayed.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{34495039-AF28-6032-7ADB-CDF051F76325}\\srdelayed.exe\""	srdelayed.exe

Executes dropped EXE 6 IoCs

pid	Process
4432	srdelayed.exe
2696	srdelayed.exe
636	srdelayed.exe
3716	srdelayed.exe
3812	srdelayed.exe
4156	srdelayed.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ConfirmEnter.tiff	srdelayed.exe
File opened for modification	C:\Users\Admin\Pictures\WatchConfirm.tiff	srdelayed.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	srdelayed.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\srdelayed.lnk	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\srdelayed.lnk	srdelayed.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srdelayed = "\"C:\\Users\\Admin\\AppData\\Roaming\\{34495039-AF28-6032-7ADB-CDF051F76325}\\srdelayed.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\srdelayed = "\"C:\\Users\\Admin\\AppData\\Roaming\\{34495039-AF28-6032-7ADB-CDF051F76325}\\srdelayed.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows\CurrentVersion\Run	srdelayed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srdelayed = "\"C:\\Users\\Admin\\AppData\\Roaming\\{34495039-AF28-6032-7ADB-CDF051F76325}\\srdelayed.exe\""	srdelayed.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	srdelayed.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows\CurrentVersion\Run	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\srdelayed = "\"C:\\Users\\Admin\\AppData\\Roaming\\{34495039-AF28-6032-7ADB-CDF051F76325}\\srdelayed.exe\""	srdelayed.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpEF7A.bmp"	srdelayed.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\42e7f75c-625a-45d3-a537-93538cf2024d.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220407213602.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2164	taskkill.exe
2652	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\Desktop	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{34495039-AF28-6032-7ADB-CDF051F76325}\\srdelayed.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\Desktop	srdelayed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{34495039-AF28-6032-7ADB-CDF051F76325}\\srdelayed.exe\""	srdelayed.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings	srdelayed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3620	PING.EXE
516	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe
4432	srdelayed.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4384	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Token: SeDebugPrivilege	4432	srdelayed.exe
Token: SeDebugPrivilege	2164	taskkill.exe
Token: SeDebugPrivilege	2696	srdelayed.exe
Token: SeDebugPrivilege	636	srdelayed.exe
Token: SeDebugPrivilege	3716	srdelayed.exe
Token: SeDebugPrivilege	3812	srdelayed.exe
Token: SeDebugPrivilege	4156	srdelayed.exe
Token: 33	4384	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4384	AUDIODG.EXE
Token: SeDebugPrivilege	2652	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1844	msedge.exe
1844	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 4432	4384	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	85
PID 4384 wrote to memory of 4432	4384	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	85
PID 4384 wrote to memory of 4432	4384	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	85
PID 4384 wrote to memory of 2300	4384	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	86
PID 4384 wrote to memory of 2300	4384	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	86
PID 4384 wrote to memory of 2300	4384	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	86
PID 2300 wrote to memory of 2164	2300	cmd.exe	88
PID 2300 wrote to memory of 2164	2300	cmd.exe	88
PID 2300 wrote to memory of 2164	2300	cmd.exe	88
PID 2300 wrote to memory of 3620	2300	cmd.exe	90
PID 2300 wrote to memory of 3620	2300	cmd.exe	90
PID 2300 wrote to memory of 3620	2300	cmd.exe	90
PID 4432 wrote to memory of 1844	4432	srdelayed.exe	121
PID 4432 wrote to memory of 1844	4432	srdelayed.exe	121
PID 4432 wrote to memory of 3044	4432	srdelayed.exe	122
PID 4432 wrote to memory of 3044	4432	srdelayed.exe	122
PID 1844 wrote to memory of 1648	1844	msedge.exe	123
PID 1844 wrote to memory of 1648	1844	msedge.exe	123
PID 4432 wrote to memory of 1168	4432	srdelayed.exe	124
PID 4432 wrote to memory of 1168	4432	srdelayed.exe	124
PID 1168 wrote to memory of 3976	1168	msedge.exe	125
PID 1168 wrote to memory of 3976	1168	msedge.exe	125
PID 4432 wrote to memory of 2592	4432	srdelayed.exe	126
PID 4432 wrote to memory of 2592	4432	srdelayed.exe	126
PID 4432 wrote to memory of 2204	4432	srdelayed.exe	128
PID 4432 wrote to memory of 2204	4432	srdelayed.exe	128
PID 2204 wrote to memory of 2652	2204	cmd.exe	130
PID 2204 wrote to memory of 2652	2204	cmd.exe	130
PID 2204 wrote to memory of 516	2204	cmd.exe	132
PID 2204 wrote to memory of 516	2204	cmd.exe	132
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1168 wrote to memory of 4248	1168	msedge.exe	135
PID 1844 wrote to memory of 2348	1844	msedge.exe	134
PID 1844 wrote to memory of 2348	1844	msedge.exe	134

C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Users\Admin\AppData\Roaming\{34495039-AF28-6032-7ADB-CDF051F76325}\srdelayed.exe
  "C:\Users\Admin\AppData\Roaming\{34495039-AF28-6032-7ADB-CDF051F76325}\srdelayed.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Modifies extensions of user files
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ff8b83446f8,0x7ff8b8344708,0x7ff8b8344718
      4⤵
      PID:1648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2712 /prefetch:2
      4⤵
      PID:2348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2876 /prefetch:3
      4⤵
      PID:3848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3152 /prefetch:8
      4⤵
      PID:4004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
      4⤵
      PID:452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
      4⤵
      PID:1008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
      4⤵
      PID:3892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
      4⤵
      PID:2460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5532 /prefetch:8
      4⤵
      PID:3708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
      4⤵
      PID:4244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
      4⤵
      PID:1532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
      4⤵
      PID:3836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
      4⤵
      PID:5064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:4532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe4,0xe0,0xdc,0x10c,0x114,0x7ff7dab35460,0x7ff7dab35470,0x7ff7dab35480
        5⤵
        
        PID:1788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
      4⤵
      PID:5088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
      4⤵
      PID:2312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:1
      4⤵
      PID:1528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2296 /prefetch:8
      4⤵
      PID:3004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5420 /prefetch:8
      4⤵
      PID:3328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
      4⤵
      PID:4852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 /prefetch:8
      4⤵
      PID:3672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3052 /prefetch:8
      4⤵
      PID:4968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4988 /prefetch:2
      4⤵
      PID:3024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6444 /prefetch:8
      4⤵
      PID:2392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4984 /prefetch:8
      4⤵
      PID:1952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1284 /prefetch:8
      4⤵
      PID:512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2140 /prefetch:8
      4⤵
      PID:1704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
      4⤵
      PID:1324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2760,4944842532603081128,5929192049117854309,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:1
      4⤵
      PID:3816
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:3044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.zmvirj.top/7E15-35A0-9BAB-029E-D865
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8b83446f8,0x7ff8b8344708,0x7ff8b8344718
      4⤵
      PID:3976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,2507754614078346526,15974683089691032658,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2704 /prefetch:2
      4⤵
      PID:4248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,2507754614078346526,15974683089691032658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2800 /prefetch:3
      4⤵
      PID:3984
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:2592
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "srdelayed.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{34495039-AF28-6032-7ADB-CDF051F76325}\srdelayed.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "srdelayed.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2652
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:516
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3620

C:\Users\Admin\AppData\Roaming\{34495039-AF28-6032-7ADB-CDF051F76325}\srdelayed.exe
C:\Users\Admin\AppData\Roaming\{34495039-AF28-6032-7ADB-CDF051F76325}\srdelayed.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Users\Admin\AppData\Roaming\{34495039-AF28-6032-7ADB-CDF051F76325}\srdelayed.exe
C:\Users\Admin\AppData\Roaming\{34495039-AF28-6032-7ADB-CDF051F76325}\srdelayed.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Users\Admin\AppData\Roaming\{34495039-AF28-6032-7ADB-CDF051F76325}\srdelayed.exe
C:\Users\Admin\AppData\Roaming\{34495039-AF28-6032-7ADB-CDF051F76325}\srdelayed.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:5108

C:\Users\Admin\AppData\Roaming\{34495039-AF28-6032-7ADB-CDF051F76325}\srdelayed.exe
C:\Users\Admin\AppData\Roaming\{34495039-AF28-6032-7ADB-CDF051F76325}\srdelayed.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Users\Admin\AppData\Roaming\{34495039-AF28-6032-7ADB-CDF051F76325}\srdelayed.exe
C:\Users\Admin\AppData\Roaming\{34495039-AF28-6032-7ADB-CDF051F76325}\srdelayed.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d4 0x33c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Network Service Scanning

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
471B

MD5
d2a99ffb2c73d006e4e8ffa26557ad1a

SHA1
676a39fb0687a05570e66ed2a5fdbbd846168367

SHA256
69ece1dfccce0a7eae10152fdfbecbc3cf8264bf981a55d141f5efa25d3d4aa9

SHA512
9bdebd6569f028e239da76ed67a593c53da04fb2f73c325f88c1bd83416c93080d778604d9894d2a02276736ef30b4654040460cfb040d185147eee0d02c50ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
446B

MD5
df14da5adf20951ddbc8ab4cf889426a

SHA1
fba6bdeb256a4c05ed7683398ba738a4223f7dfc

SHA256
acef0ba449d32c12dba5c632540d477d32666ef832fb959c07b377dd71dc16a9

SHA512
b2ecd7cb46981160e539661eaed74e406db523ec59c0e2480d21ef64efdf559e0521b9a4ddb1208755a3b01d641d09197f18328fa3d3e4b99ba8e95fb70dbc88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
446B

MD5
df14da5adf20951ddbc8ab4cf889426a

SHA1
fba6bdeb256a4c05ed7683398ba738a4223f7dfc

SHA256
acef0ba449d32c12dba5c632540d477d32666ef832fb959c07b377dd71dc16a9

SHA512
b2ecd7cb46981160e539661eaed74e406db523ec59c0e2480d21ef64efdf559e0521b9a4ddb1208755a3b01d641d09197f18328fa3d3e4b99ba8e95fb70dbc88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
48688eaeffde1c7101b1bdc72a72b9a3

SHA1
c086a6b8524aedae9bfd2863067a75088b7a1972

SHA256
6383d0e79eb153ccf1004b3b65da09989d1d5fe62ae1935a3c42ca5102a7d9af

SHA512
f778710d5fc3a7a9657b1fd7c69d7e1e325376217eb86578c85155547804f2c9efb60cf786f0ccf0dc7a6ce169fbbe913c8b662f155213139f1e2701ddc800c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
48688eaeffde1c7101b1bdc72a72b9a3

SHA1
c086a6b8524aedae9bfd2863067a75088b7a1972

SHA256
6383d0e79eb153ccf1004b3b65da09989d1d5fe62ae1935a3c42ca5102a7d9af

SHA512
f778710d5fc3a7a9657b1fd7c69d7e1e325376217eb86578c85155547804f2c9efb60cf786f0ccf0dc7a6ce169fbbe913c8b662f155213139f1e2701ddc800c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
48688eaeffde1c7101b1bdc72a72b9a3

SHA1
c086a6b8524aedae9bfd2863067a75088b7a1972

SHA256
6383d0e79eb153ccf1004b3b65da09989d1d5fe62ae1935a3c42ca5102a7d9af

SHA512
f778710d5fc3a7a9657b1fd7c69d7e1e325376217eb86578c85155547804f2c9efb60cf786f0ccf0dc7a6ce169fbbe913c8b662f155213139f1e2701ddc800c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f2b526f8b06d1befe13ac9df5f196d0

SHA1
5312747fc37ddad74957388f3aab556cffb08c3e

SHA256
9dbb8343e2da49863a8abfe10867dccfd9956ef8af848ab3aca54d9cd17a5845

SHA512
2ed4a83537a583825d77b43f8d6428c02e598e8b54cc1c66f0280acbcdbe76729718274b518cd68906c266cc1565b82fb7445aee62a063c0f2a273ca0cb5a01f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f2b526f8b06d1befe13ac9df5f196d0

SHA1
5312747fc37ddad74957388f3aab556cffb08c3e

SHA256
9dbb8343e2da49863a8abfe10867dccfd9956ef8af848ab3aca54d9cd17a5845

SHA512
2ed4a83537a583825d77b43f8d6428c02e598e8b54cc1c66f0280acbcdbe76729718274b518cd68906c266cc1565b82fb7445aee62a063c0f2a273ca0cb5a01f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f2b526f8b06d1befe13ac9df5f196d0

SHA1
5312747fc37ddad74957388f3aab556cffb08c3e

SHA256
9dbb8343e2da49863a8abfe10867dccfd9956ef8af848ab3aca54d9cd17a5845

SHA512
2ed4a83537a583825d77b43f8d6428c02e598e8b54cc1c66f0280acbcdbe76729718274b518cd68906c266cc1565b82fb7445aee62a063c0f2a273ca0cb5a01f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
8250bf8bdcafdac510a8ac7aa2a14b63

SHA1
2b23624eab087a8b85f3f15f0d327d9e752c58e1

SHA256
f232b97365726b37221dd3884e9cf92c7a6ed67439c06b37082ee78169ead73d

SHA512
4b746ab53e4ea71779873ff7f8a806c7929c74d11440e25f924a22779de423587d9f1abf93beff9828518f05da0312af0254f9bb075d156eacb771adf92cd564

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings

Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris

Filesize
40B

MD5
b0689a40342c4d1f9805ed0080437351

SHA1
319cd3fd36d92118fef27e6b57ef61e54c232907

SHA256
ab67d989da4b0cc3c07f9dae46ee3d59cf611091068a5c8d74bbf5c618cd060a

SHA512
6b3fa008e6a13047c0ce5e05f351c0a7891759a882f32cdccd30cbf9bc2c3c340269e4378504257d77b115317d68921fb98844705748b5c7ac62642fabba921f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_637849553672365508

Filesize
3KB

MD5
089214450a052af7a44841faf8e9eadc

SHA1
4ca873b8b34f7cb2fb7c10861c6a4cfcf0594d62

SHA256
b4927ea20803a9df3f970040f117a72f1eb6f0ad5d64fd79a8cbca8daac969d4

SHA512
9479e4fa177e19c8f0b064499a2b34cd05beaa6ac2a7b890bbf71020768c8fcf15a37c2f3ed3a48b7cb30a32b1c4fc64919b3e56166362fdc13f954a5a51b18b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic

Filesize
29B

MD5
ce545b52b20b2f56ffb26d2ca2ed4491

SHA1
ebe904c20bb43891db4560f458e66663826aa885

SHA256
e9d5684e543b573010f8b55b11bf571caf0a225cdea03f520091525978023899

SHA512
1ea06c8e3f03efdd67779969b4cdf7d8e08f8327298668a7cffd67d1753f33cf19e6995a3d83fe45185c55b950f41e48ac71b422b91e8d0180b5bdd07cfacfe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_637811103879324684

Filesize
450KB

MD5
a7aab197b91381bcdec092e1910a3d62

SHA1
35794f2d2df163223391a2b21e1610f14f46a78f

SHA256
6337fe4e6e7464e319dfcdadf472987592013cf80d44916f5151950b4a4ca14b

SHA512
cffd7350d1e69ada5f64cafe42a9d77e3192927e129f2903088b66b6efc9626b5d525aedca08d473ad8fa415af1d816594b243609237dc23716d70a2ca0eb774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Advertising

Filesize
24KB

MD5
4e9962558e74db5038d8073a5b3431aa

SHA1
3cd097d9dd4b16a69efbb0fd1efe862867822146

SHA256
6f81212bd841eca89aa6f291818b4ad2582d7cdb4e488adea98261494bdcd279

SHA512
fcd76bca998afc517c87de0db6ee54e45aa2263fa7b91653ac3adb34c41f3681fbe19d673ae9b24fdf3d53f5af4e4968e603a1eb557207f8860ac51372026b2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Analytics

Filesize
4KB

MD5
fad197d6ffd32d1268b9e7e8d13ab32a

SHA1
b0129887a75965bb2ef56a2c39d3231e5b87265d

SHA256
4e446af739e1a06b48a73607e9441bc4aa34ceafd808ff845864408179a4d2c3

SHA512
01d9f588bfa315e316ff0ff4a15a0a49144fd77ee89960882cd528d7f7a277b086667cea2357c3ca2bd16a2b3f4aeb7fcaf473501b499101be68acbe1e0126cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Content

Filesize
6KB

MD5
94c183b842784d0ae69f8aa57c8ac015

SHA1
c5b1ebc2b5c140ccbb21cd377ca18f3c5d0b80cd

SHA256
aa5c4d50684aa478d5982e509cbf1f8347fbc9cc75cb847d54915c16c3a33d25

SHA512
5808ddb81657acf4712fa845c95aacbab32a414ffda3b9d1218637e2d53bd3e0d6b95c872779ead6eaa13b4d2d563494ad5587337958bd17f1e791fad5d822fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Cryptomining

Filesize
1KB

MD5
8c31feb9c3faaa9794aa22ce9f48bfbd

SHA1
f5411608a15e803afc97961b310bb21a6a8bd5b6

SHA256
6016fd3685046b33c7a2b1e785ac757df20e7c760abe0c27e1b8b0294222421d

SHA512
ba4b5886c04ba8f7a7dbb87e96d639783a5969a245de181cf620b8f536e3ac95bbd910cd2f1f6aae6c3cd70fc1ef6209dc10d2b083ec51861b51d83f95811baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Fingerprinting

Filesize
1KB

MD5
b51076d21461e00fcbf3dbd2c9e96b2b

SHA1
31311536cf570f2f9c88d21f03a935ac6e233231

SHA256
21a8d3e85d76761a1aab9dca765efef5dfa08d49db037befd91833e4639dd993

SHA512
3e193220ddddc47ecea32a2f777e55faa12c7a8052323455c8d7a89c01048155c77ae009fd0f5bebea89f1fae4a88b6b3ceca4e808064f474ea5b3a9497598cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Other

Filesize
34B

MD5
cd0395742b85e2b669eaec1d5f15b65b

SHA1
43c81d1c62fc7ff94f9364639c9a46a0747d122e

SHA256
2b4a47b82cbe70e34407c7df126a24007aff8b45d5716db384d27cc1f3b30707

SHA512
4df2ce734e2f7bc5f02bb7845ea801b57dcf649565dd94b1b71f578b453ba0a17c61ccee73e7cff8f23cdd6aa37e55be5cb15f4767ff88a9a06de3623604fbf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Social

Filesize
999B

MD5
152b745da17397ed5a2f3059bb157600

SHA1
47bf4e575ba1acf47dcc99f1800f753b4cc65ef6

SHA256
ef994058a637f7b1b47c31c8670977084d1f86cc21a196920aa87f8ed31e98e8

SHA512
4984a8a46eb452b3c62f2c2ca8c9d999de37c39895ad9a9ed91d12a7731b1cd227f335829f7a6927f19cd8bf4dd7d6749fc853461a46fc97853d5b9e23171d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Advertising

Filesize
459B

MD5
d024831cae8599f0edee70275d99e843

SHA1
69e08b543802b130da5305cbb0140bda5601079c

SHA256
0b75817b9ce2164f52e537c66bbff0fe53024bf9a00fb193efd63fe48f34a978

SHA512
ee1096446f6a17bc3fde9aadb418ca4b2db5132cdde1e429300487aaf4d8b9865a3bbc95d3a3198cde137a6395f69c035b74a72f74edc22a490bccc3320b0b03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Analytics

Filesize
50B

MD5
4cefbb980962973a354915a49d1b0f4d

SHA1
1d20148cab5cdadb85fad6041262584a12c2745d

SHA256
66de8db363de02974a1471153112e51f014bb05936ce870c433fd9a85b34455a

SHA512
6a088bbc6c40454165ddee3183667d2997dca5fcc8312f69e3c2397e61255e49b5146b24c2c64cd3c8867289e3abfdf1155e47722fdd8276f96d51e8f311d4b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Content

Filesize
36B

MD5
7f077f40c2d1ce8e95faa8fdb23ed8b4

SHA1
2c329e3e20ea559974ddcaabc2c7c22de81e7ad2

SHA256
bda08f8b53c121bbc03da1f5c870c016b06fa620a2c02375988555dd12889cdf

SHA512
c1fb5d40491ae22a155a9bd115c32cbe9dbcba615545af2f1a252475f9d59844763cd7c177f08277d8ef59e873b7d885fda17f2a504d9ec2c181d0f793cb542b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\srdelayed.lnk

Filesize
1KB

MD5
ac72fe59def1caf858c5a3eafacae022

SHA1
8d5606034f3b292d5cd3bcdb3f61c484f049ca79

SHA256
6764b102cbcd33b57bf5bfd9902f481397170e66631349d273b64922b60bc6af

SHA512
07d16912c40b040c26d6e5935615813646c698c65ee72db94f1856f2d98f0bb9fc9925692a0375c3f2c9979eda50650309c28cc869e3097c34fd9e061c28e938

Download Submit
C:\Users\Admin\AppData\Roaming\{34495039-AF28-6032-7ADB-CDF051F76325}\srdelayed.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
C:\Users\Admin\AppData\Roaming\{34495039-AF28-6032-7ADB-CDF051F76325}\srdelayed.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
C:\Users\Admin\AppData\Roaming\{34495039-AF28-6032-7ADB-CDF051F76325}\srdelayed.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
C:\Users\Admin\AppData\Roaming\{34495039-AF28-6032-7ADB-CDF051F76325}\srdelayed.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
C:\Users\Admin\AppData\Roaming\{34495039-AF28-6032-7ADB-CDF051F76325}\srdelayed.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
C:\Users\Admin\AppData\Roaming\{34495039-AF28-6032-7ADB-CDF051F76325}\srdelayed.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
C:\Users\Admin\AppData\Roaming\{34495039-AF28-6032-7ADB-CDF051F76325}\srdelayed.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
7ef2a808c1cb772ff796831538e19ff9

SHA1
76a6144109b7b603daeffa140dae075b26785c97

SHA256
4c5817fcffd4d9be64593c698e17478be82f5567dfd0c37710fa616493f643a2

SHA512
7c37d4aa036d93a8d671cb7b963209d14ae2ce83f69bc5c4109ef83eea79df9f415c2560c1cbddc46a1a721287c2bc82807562eb16fcf541cdf1c9b2d8e0767c

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
766781b2ebede8ac6b4c13f5b7f8c171

SHA1
eefda17d5a72b454ba6bcd1df6b706f5ee6b5ea6

SHA256
8a67e88418366897863e496fb06778c1da629f94f4fe98a0ff955c28e96add71

SHA512
dc9969aa6f4445c05f3040cdca69b75fa1c88d605a9c5c8134edc59617a2362336cbca6cce44709634309abe347245cb9ca1ff5cd68dc8cfb861e48305187d7e

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs

Filesize
225B

MD5
f6d629f2a4c0815f005230185bd892fe

SHA1
1572070cf8773883a6fd5f5d1eb51ec724bbf708

SHA256
ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f

SHA512
b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c

Download Submit
memory/636-148-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2348-185-0x00007FF8D8980000-0x00007FF8D8981000-memory.dmp

Filesize
4KB

Download
memory/2696-146-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3716-150-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3812-152-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4156-154-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4384-134-0x0000000003DB0000-0x0000000003DD1000-memory.dmp

Filesize
132KB

Download
memory/4384-135-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4432-141-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download