cerber | 2d9bb4e3fddfe5dc51c54cba74a1eb594c7be9d34774524d972350edd85e6499

Resubmissions

08-02-2024 01:32

240208-bx7pqsbg96 10

27-01-2024 14:19

240127-rmwgqadhc4 10

Analysis

max time kernel
489s
max time network
577s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08-02-2024 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo-master.zip
Size

199.9MB
MD5

cdf4e0a856fc08e09a62ffdf933cae54
SHA1

4f148768a5083e524bf9a28cb967f936565550c4
SHA256

2d9bb4e3fddfe5dc51c54cba74a1eb594c7be9d34774524d972350edd85e6499
SHA512

35a7c6f3ec10eba8eb46759cbff7ff5568191e53e0d78227000b9bc9ed014920024f7b18a96ae2ae6ed4b72aaa804fcf4b5128a088723c2966023f6c3a60d1a5
SSDEEP

6291456:9vTD0Y5thtdnP0If6fx++o7OTlNmP8nQhkXfW:1D0Y5thtdnPVo4+wOTlg4TPW

Score

10^/10

cerber cryptolocker dharma discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\_R_E_A_D___T_H_I_S___SKIVERP_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/3129-A647-E9B4-0098-B41D Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/3129-A647-E9B4-0098-B41D 2. http://xpcx6erilkjced3j.19kdeh.top/3129-A647-E9B4-0098-B41D 3. http://xpcx6erilkjced3j.1mpsnr.top/3129-A647-E9B4-0098-B41D 4. http://xpcx6erilkjced3j.18ey8e.top/3129-A647-E9B4-0098-B41D 5. http://xpcx6erilkjced3j.17gcun.top/3129-A647-E9B4-0098-B41D ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/3129-A647-E9B4-0098-B41D

http://xpcx6erilkjced3j.1n5mod.top/3129-A647-E9B4-0098-B41D

http://xpcx6erilkjced3j.19kdeh.top/3129-A647-E9B4-0098-B41D

http://xpcx6erilkjced3j.1mpsnr.top/3129-A647-E9B4-0098-B41D

http://xpcx6erilkjced3j.18ey8e.top/3129-A647-E9B4-0098-B41D

http://xpcx6erilkjced3j.17gcun.top/3129-A647-E9B4-0098-B41D

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WScript.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (62) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Contacts a large (1092) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

1532 netsh.exe
2208 netsh.exe

pid	process
1532	netsh.exe
2208	netsh.exe

Drops startup file 2 IoCs

Processes:

Cerber5.exeCoronaVirus.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	Cerber5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe

Executes dropped EXE 4 IoCs

Processes:

butterflyondesktop.tmpButterflyOnDesktop.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exe

pid	process
320	butterflyondesktop.tmp
2144	ButterflyOnDesktop.exe
2108	{34184A33-0407-212E-3320-09040709E2C2}.exe
2096	{34184A33-0407-212E-3320-09040709E2C2}.exe

Loads dropped DLL 7 IoCs

Processes:

butterflyondesktop.exebutterflyondesktop.tmpCryptoLocker.exe

pid	process
704	butterflyondesktop.exe
320	butterflyondesktop.tmp
320	butterflyondesktop.tmp
320	butterflyondesktop.tmp
320	butterflyondesktop.tmp
320	butterflyondesktop.tmp
764	CryptoLocker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3040-376-0x0000000000400000-0x0000000000413000-memory.dmp	upx
C:\Users\Admin\Documents\install.exe	upx
behavioral1/memory/3040-1043-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/5416-26740-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3556-26745-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CoronaVirus.exebutterflyondesktop.tmpMantas.exe{34184A33-0407-212E-3320-09040709E2C2}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Manager = "C:\\Windows\\system32\\winmants.exe"	Mantas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3601492379-692465709-652514833-1000\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3601492379-692465709-652514833-1000\desktop.ini	CoronaVirus.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Cerber5.exe

description	ioc	process
File opened (read-only)	\??\a:	Cerber5.exe
File opened (read-only)	\??\e:	Cerber5.exe
File opened (read-only)	\??\k:	Cerber5.exe
File opened (read-only)	\??\n:	Cerber5.exe
File opened (read-only)	\??\r:	Cerber5.exe
File opened (read-only)	\??\y:	Cerber5.exe
File opened (read-only)	\??\b:	Cerber5.exe
File opened (read-only)	\??\m:	Cerber5.exe
File opened (read-only)	\??\q:	Cerber5.exe
File opened (read-only)	\??\u:	Cerber5.exe
File opened (read-only)	\??\h:	Cerber5.exe
File opened (read-only)	\??\i:	Cerber5.exe
File opened (read-only)	\??\l:	Cerber5.exe
File opened (read-only)	\??\o:	Cerber5.exe
File opened (read-only)	\??\s:	Cerber5.exe
File opened (read-only)	\??\t:	Cerber5.exe
File opened (read-only)	\??\x:	Cerber5.exe
File opened (read-only)	\??\g:	Cerber5.exe
File opened (read-only)	\??\j:	Cerber5.exe
File opened (read-only)	\??\p:	Cerber5.exe
File opened (read-only)	\??\v:	Cerber5.exe
File opened (read-only)	\??\w:	Cerber5.exe
File opened (read-only)	\??\z:	Cerber5.exe

Drops autorun.inf file 1 TTPs 6 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

WScript.exeCoronaVirus.exe

description	ioc	process
File created	C:\AutoRun.inf	WScript.exe
File opened for modification	C:\AutoRun.inf	WScript.exe
File created	F:\AutoRun.inf	WScript.exe
File opened for modification	F:\AutoRun.inf	WScript.exe
File opened for modification	C:\AutoRun.inf	CoronaVirus.exe
File opened for modification	F:\AutoRun.inf	CoronaVirus.exe

Drops file in System32 directory 64 IoCs

Processes:

OUTLOOK.EXEWScript.exeCerber5.exeMantas.exeCoronaVirus.exe

description	ioc	process
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prnjobs.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prnmngr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnmngr.vbs	WScript.exe
File created	C:\Windows\System32\gatherNetworkInfo.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\es-ES\prnqctl.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnport.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\ja-JP\prnjobs.vbs	WScript.exe
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	Cerber5.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\ja-JP\pubprn.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\pubprn.vbs	WScript.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	Cerber5.exe
File created	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\en-US\prnport.vbs	WScript.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	Cerber5.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnport.vbs	WScript.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	Cerber5.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\es-ES\prnport.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prncnfg.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnjobs.vbs	WScript.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	Cerber5.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\de-DE\prncnfg.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnqctl.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnjobs.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prndrvr.vbs	WScript.exe
File created	C:\Windows\System32\Admin.ini	WScript.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\de-DE\prnjobs.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\en-US\prnqctl.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prncnfg.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\it-IT\prnqctl.vbs	WScript.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	Cerber5.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnmngr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\pubprn.vbs	WScript.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	Cerber5.exe
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	Cerber5.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\de-DE\prnmngr.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\es-ES\prndrvr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\pubprn.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prnqctl.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnjobs.vbs	WScript.exe
File opened for modification	C:\Windows\System32\Admin.vbs	WScript.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	Cerber5.exe
File opened for modification	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\fr-FR\pubprn.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnqctl.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\it-IT\prncnfg.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prndrvr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnport.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\pubprn.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnqctl.vbs	WScript.exe

Drops file in Program Files directory 64 IoCs

Processes:

WScript.exeCoronaVirus.exeMantas.exeCerber5.exe

description	ioc	process
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\settings.html	WScript.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml	CoronaVirus.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\weather.html	WScript.exe
File created	C:\Program Files\gnucleus\downloads\quake3.exe	Mantas.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_socket.dll.id-AF5E065C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml.id-AF5E065C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html	WScript.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png	CoronaVirus.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Lima.id-AF5E065C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\New_Salem.id-AF5E065C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif.id-AF5E065C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\KazaaLite\My shared folder\serial.exe	Mantas.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.id-AF5E065C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.id-AF5E065C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg	CoronaVirus.exe
File opened for modification	C:\Program Files\grokster\my grokster\cum.jpg	Mantas.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado21.tlb	CoronaVirus.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv	CoronaVirus.exe
File opened for modification	C:\Program Files\Internet Explorer\ie9props.propdesc	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html	WScript.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt.id-AF5E065C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_hu.jar.id-AF5E065C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\KazaaLite\My shared folders\Grokster.exe	Mantas.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png	CoronaVirus.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\deploy.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Asuncion.id-AF5E065C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml.id-AF5E065C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Lima.id-AF5E065C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\KazaaLite\My shared folders\kazaalite.exe	Mantas.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html	WScript.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\de.pak	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Iqaluit.id-AF5E065C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\edonkey2000\incoming\winxp service pack.exe	Mantas.exe
File created	C:\Program Files\icq\shared files\DivX.exe	Mantas.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages.properties	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml.id-AF5E065C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml.id-AF5E065C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\KazaaLite\My shared folder\Spybot - Search & Destroy .exe	Mantas.exe
File created	C:\Program Files\edonkey2000\incoming\Winamp3-Full.exe	Mantas.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat.id-AF5E065C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssv.dll.id-AF5E065C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\KazaaLite\My shared folder\diablo2.exe	Mantas.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html	WScript.exe
File opened for modification	\??\c:\program files (x86)\steam	Cerber5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png.id-AF5E065C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts.id-AF5E065C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Internet Explorer\JSProfilerCore.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline_is.dll	CoronaVirus.exe

Drops file in Windows directory 64 IoCs

Processes:

WScript.exeCerber5.exe

description	ioc	process
File created	C:\Windows\winsxs\x86_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_es-es_dd612a0790e20961\calendar.html	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_73db80f37a680574\currency.html	WScript.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	Cerber5.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_31173e7d19fe591a\picturePuzzle.html	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\501.htm	WScript.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	Cerber5.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0246f6465cb859ba\settings.html	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-2.htm	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-15.htm	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b60543bd2d988807\flyout.html	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-11.htm	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\401.htm	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\500-18.htm	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c65f31d113437677\calendar.html	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_en-us_92dafd34e62c3942\weather.html	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f74d1ac7302c46a8\prndrvr.vbs	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7fa92a4e1adcf67f\clock.html	WScript.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	Cerber5.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403.htm	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Roses.htm	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-10.htm	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404-13.htm	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404-4.htm	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c1b17ba477234d5e\prnjobs.vbs	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_de-de_330b92f4e4356a4b\settings.html	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-3.htm	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2ae1bce6b81c0916\flyout.html	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c3672adaf7f9b591\weather.html	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-18.htm	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6a6dae8166284ac8\prnmngr.vbs	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-4.htm	WScript.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	Cerber5.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_29b7ce69634b90ae\flyout.html	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1f85c65eb05726c7\weather.html	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-10.htm	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0d25248058fa612a\prnqctl.vbs	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_de-de_330b92f4e4356a4b\clock.html	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\406.htm	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c1ab456ba37238a2\settings.html	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\500-13.htm	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-9.htm	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cd9932e5aaee1f78\settings.html	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b7c1292c822004f6\settings.html	WScript.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	Cerber5.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f86c44a49a61f132\slideShow.html	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-7.htm	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f74d1ac7302c46a8\prnjobs.vbs	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7fddcd6a1ab604da\settings.html	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_es-es_92a65a18e6532ae7\settings.html	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-10.htm	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-8.htm	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_de-de_34a4f72aa1dd0bf7\calendar.html	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2260a04d0daf0ce1\clock.html	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_29b7ce69634b90ae\settings.html	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\401-3.htm	WScript.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	Cerber5.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2b166002b7f51771\flyout.html	WScript.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	Cerber5.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c1b17ba477234d5e\prndrvr.vbs	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f74d1ac7302c46a8\prnqctl.vbs	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2844 1756 WerFault.exe YouAreAnIdiot.exe
8072 8108 WerFault.exe 7ev3n.exe
Office loads VBA resources, possible macro or embedded object present

pid	pid_target	process	target process
2844	1756	WerFault.exe	YouAreAnIdiot.exe
8072	8108	WerFault.exe	7ev3n.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

5132 vssadmin.exe
9312 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

9732 taskkill.exe

pid	process
5132	vssadmin.exe
9312	vssadmin.exe

pid	process
9732	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeWINWORD.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d6000000000200000000001066000000010000200000008d3361824c6dbdcd38f5dd59e735554d257c3d249590001a15f90509a5f065fc000000000e8000000002000020000000347cef9b8c43262d355e00fef656abe880cdf5c17f0e99851199bc1aa8b9ac2c200000003bf7ceece9b6dddaba8b449504e126cb61072fe9ebe4992a9be811cdf1e80b49400000005d22a08f4968fdbca3a2e5d663d64eb31d00de68874c1072868ed949334ef521d82e7b6c0182d9a288631dfa1b7bea603f9ac0abfc5b6333996c57d6c4fa9c33	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c01cd433305ada01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d600000000020000000000106600000001000020000000250d5137a670b64cb930c012d8c74bb97afe2f5fdc1a02de3db475190eae979c000000000e8000000002000020000000d2c72d917272e323c9eb3002b85cabdb5196e9c4f887d90162bf76237d664bbf9000000049768eb7303752ebdcc854901e6ae13e7e35c13dc21b8322b509007e3d580c0ac5b4014efddfca74069989d84f4b57355e3d56a9a082bd93c15e63598a99daa539bf4e4b0d0fb844b2aa65e51c48a34dbd7845a50eb2a63b5e3948fd0025262b07e8b98773cac499eea5bf0021e4fe1b3905024ac1178b93d041225a8eede49e677a72bb2ddb0906c60a944e0bada88840000000098824b87dbd93ee6cb56609752c5b0ef248e5e937499d58c9c05462992fd85f6909ce4aaf09af625dd1d977733177cb9b77fa6db7153aa93b729bb367f20674	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5F0EEA01-C623-11EE-A3D4-6E556AB52A45} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies registry class 64 IoCs

Processes:

OUTLOOK.EXEWINWORD.EXEWScript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DD-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\TypeLib\{C2ED730D-9ED8-4CBA-8BF5-A54BC4B89927}\2.0\FLAGS	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}\ = "_Explorer"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067367-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}\ = "_SendRuleAction"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630ED-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063076-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E9-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EC-0000-0000-C000-000000000046}\ = "_TasksModule"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063024-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063024-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304A-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672ED-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F8-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F8-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063048-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063077-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D5-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300B-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063024-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307C-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303F-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2ED730D-9ED8-4CBA-8BF5-A54BC4B89927}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063034-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063062-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046}\ = "_CategoryRuleCondition"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303B-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DF-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\System32\\WScript.exe \"C:\\Windows\\Admin.vbs\" %1 %* "	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063094-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063040-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}\ = "_MoveOrCopyRuleAction"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063077-0000-0000-C000-000000000046}\ = "ItemsEvents"	OUTLOOK.EXE

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3332 NOTEPAD.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

8432 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

3008 WINWORD.EXE

pid	process
3332	NOTEPAD.EXE

pid	process
8432	PING.EXE

pid	process
3008	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

chrome.exeCoronaVirus.exe

pid	process
1320	chrome.exe
1320	chrome.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe
1164	CoronaVirus.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

AUDIODG.EXEchrome.exeCerber5.exe

description	pid	process
Token: 33	2716	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2716	AUDIODG.EXE
Token: 33	2716	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2716	AUDIODG.EXE
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	444	Cerber5.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

butterflyondesktop.tmpchrome.exeButterflyOnDesktop.exeiexplore.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exe

pid	process
320	butterflyondesktop.tmp
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
2144	ButterflyOnDesktop.exe
636	iexplore.exe
1320	chrome.exe
2592	Avoid.exe
2840	Avoid.exe
2748	Avoid.exe
2216	Avoid.exe
2732	Avoid.exe
2672	Avoid.exe
2428	Avoid.exe
1940	Avoid.exe
2484	Avoid.exe
2928	Avoid.exe
1356	Avoid.exe
2584	Avoid.exe
2084	Avoid.exe
1956	Avoid.exe
1224	Avoid.exe
1588	Avoid.exe
2572	Avoid.exe
3012	Avoid.exe
1156	Avoid.exe
1888	Avoid.exe
1564	Avoid.exe
2784	Avoid.exe
2336	Avoid.exe
2704	Avoid.exe
2372	Avoid.exe
1120	Avoid.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

chrome.exeButterflyOnDesktop.exeOUTLOOK.EXE

pid	process
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
2144	ButterflyOnDesktop.exe
2764	OUTLOOK.EXE
2764	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXEWINWORD.EXEOUTLOOK.EXE

pid process

636 iexplore.exe
636 iexplore.exe
2988 IEXPLORE.EXE
2988 IEXPLORE.EXE
3008 WINWORD.EXE
3008 WINWORD.EXE
2764 OUTLOOK.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Cerber5.exe

pid process

444 Cerber5.exe

pid	process
636	iexplore.exe
636	iexplore.exe
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
2764	OUTLOOK.EXE

pid	process
444	Cerber5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

butterflyondesktop.exechrome.exe

description	pid	process	target process
PID 704 wrote to memory of 320	704	butterflyondesktop.exe	butterflyondesktop.tmp
PID 704 wrote to memory of 320	704	butterflyondesktop.exe	butterflyondesktop.tmp
PID 704 wrote to memory of 320	704	butterflyondesktop.exe	butterflyondesktop.tmp
PID 704 wrote to memory of 320	704	butterflyondesktop.exe	butterflyondesktop.tmp
PID 704 wrote to memory of 320	704	butterflyondesktop.exe	butterflyondesktop.tmp
PID 704 wrote to memory of 320	704	butterflyondesktop.exe	butterflyondesktop.tmp
PID 704 wrote to memory of 320	704	butterflyondesktop.exe	butterflyondesktop.tmp
PID 1320 wrote to memory of 768	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 768	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 768	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 992	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 2044	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 2044	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 2044	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 1152	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 1152	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 1152	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 1152	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 1152	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 1152	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 1152	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 1152	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 1152	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 1152	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 1152	1320	chrome.exe	chrome.exe
PID 1320 wrote to memory of 1152	1320	chrome.exe	chrome.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master.zip
1⤵
PID:2520

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:1700

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\The Worst Of All!!!!!!\BonziBUDDY!!!!!!.txt
1⤵
PID:592

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:704

C:\Users\Admin\AppData\Local\Temp\is-PRFGT.tmp\butterflyondesktop.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PRFGT.tmp\butterflyondesktop.tmp" /SL5="$4024C,2719719,54272,C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
PID:320

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2144

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://freedesktopsoft.com/butterflyondesktoplike.html
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:636

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:636 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5519758,0x7fef5519768,0x7fef5519778
2⤵
PID:768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1396,i,4222851619887026976,5699335345987466836,131072 /prefetch:2
2⤵
PID:992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1396,i,4222851619887026976,5699335345987466836,131072 /prefetch:8
2⤵
PID:2044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1396,i,4222851619887026976,5699335345987466836,131072 /prefetch:8
2⤵
PID:1152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2228 --field-trial-handle=1396,i,4222851619887026976,5699335345987466836,131072 /prefetch:1
2⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2220 --field-trial-handle=1396,i,4222851619887026976,5699335345987466836,131072 /prefetch:1
2⤵
PID:2712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1412 --field-trial-handle=1396,i,4222851619887026976,5699335345987466836,131072 /prefetch:2
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3232 --field-trial-handle=1396,i,4222851619887026976,5699335345987466836,131072 /prefetch:1
2⤵
PID:1636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3904 --field-trial-handle=1396,i,4222851619887026976,5699335345987466836,131072 /prefetch:8
2⤵
PID:2252

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2816

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 864
2⤵
- Program crash
PID:2844

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2592

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2840

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2748

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2216

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2732

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2672

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2428

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1940

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2484

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2928

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1356

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2584

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2084

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1956

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\HeadTail.vbs"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1520

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Netres.a.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Netres.a.exe"
1⤵
PID:1596

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Mantas.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Mantas.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3040

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1224

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1588

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2572

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:3012

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1156

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1888

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1564

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2784

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2336

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2704

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2372

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1120

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
PID:2280

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
PID:2656

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Melissa.doc"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3008

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2764

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"
1⤵
PID:584

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1164

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:1004

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:7408

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:9312

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:5944

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:5656

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:3116

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:5452

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:5132

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Cerber5.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Cerber5.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:444

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
2⤵
- Modifies Windows Firewall
PID:1532

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall reset
2⤵
- Modifies Windows Firewall
PID:2208

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___T1JU9UJ_.hta"
2⤵
PID:9508

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\Admin.vbs" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___ZZIGK_.txt
2⤵
PID:6960

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___ZZIGK_.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:3332

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\System32\Admin.vbs"
3⤵
PID:3352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "C" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
2⤵
PID:8024

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "C"
3⤵
- Kills process with taskkill
PID:9732

C:\Windows\SysWOW64\PING.EXE
ping -n 1 127.0.0.1
3⤵
- Runs ping.exe
PID:8432

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"
1⤵
- Loads dropped DLL
PID:764

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2108

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000000C8
3⤵
- Executes dropped EXE
PID:2096

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\7ev3n.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\7ev3n.exe"
1⤵
PID:8108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8108 -s 916
2⤵
- Program crash
PID:8072

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\RedoInvoke.tmp
1⤵
PID:4980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1968

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\InfinityCrypt.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\InfinityCrypt.exe"
1⤵
PID:7244

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\NoMoreRansom.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\NoMoreRansom.exe"
1⤵
PID:4092

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -Embedding
1⤵
PID:9104

C:\Windows\system32\SndVol.exe
SndVol.exe -f 46007460 31536
1⤵
PID:204

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\NoMoreRansom.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\NoMoreRansom.exe"
1⤵
PID:5416

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\NoMoreRansom.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\NoMoreRansom.exe"
1⤵
PID:3556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Indicator Removal

T1070

File Deletion

T1070.004

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AutoRun.inf
Filesize
221B

MD5
b19d9e86c31676f66ab19fba9b64902c

SHA1
e2fde88eed61423b1d5dd2d5c2a233cad58a3a8e

SHA256
7af2084303d196ade349296ea5246f6d39e77667de243e5b67258f09a77b2192

SHA512
c1182be00cde50e1dd030d14bef9f0ecd797157046936e54fe38ce9a1ff6bb65e2dc7eae31f097163110ebbef4b6f6bdef2701d32e1012f1cd070e0f2221eda6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.id-AF5E065C.[coronavirus@qq.com].ncov
Filesize
192KB

MD5
ef2e0d18474b2151ef5876b1e89c2f1d

SHA1
aef9802fcf76c67d695bc77322bae5400d3bbe82

SHA256
3381de4ca9f3a477f25989dfc8b744e7916046b7aa369f61a9a2f7dc0963ec9e

SHA512
e81185705a3bd73645bf2b190bbf3aee060c1c72f98fa39665f254a755b0a5723ce8296422874eb50c7b5e8d6bcd90175b0ba28061221039172a3f50e8902cc8

Download Submit
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEWDAT.DLL.id-AF5E065C.[coronavirus@qq.com].ncov.8AA64E31B9728EC45611937923B3103590456B452D2BA8EA3EB5AD77D10833F8
Filesize
3.7MB

MD5
c09ffd9fbc22c3e3baf709af2a579767

SHA1
70f1add9b0da18d821104d92bdb25b5c15e37a8f

SHA256
8db9d503b86bda72a8432fbfc6766091c20b73c9bfb41a160d370f6b878145b1

SHA512
c179d08d79b9cd4f8677277b67cb1d30f2f16a6ca8dd7a9f429e8d4f3b318a19b2c520ff23994630bd224c7746c7bf8f9e57343fe3d2874033f3d863bda656e8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html
Filesize
34KB

MD5
9d2d240d9002d52077634121bfb88cfc

SHA1
6885af902ed2346f0db772c18056e6cef5e6ac1c

SHA256
17c31a411da90b0ed7a9e694b17ec70b5501e3622b077e051a008a1c94d9eb61

SHA512
3a5ed01d5347b24da14701edf5be5212fdaab2668691e4a23e9107ce6a0c228eb443ea30abd67c73a04b1b99f7f2329f2736d8dc9d02ffb48da7157da4b2c211

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\27346e31-fd9d-43a8-9cac-bea33b9e9ff8.tmp
Filesize
114KB

MD5
4f9133239db10abd4c83d2d068bb3d26

SHA1
320df96d96b575e59040f849378ca446fc273db2

SHA256
071331586eabf1abc510d0b23c5ed773ed2b86ffa4456d9e689903c18fba6571

SHA512
d69055b2d892aa9c7dd7c665c50362572ab441d5f724ef0f0738059eb8bba019205be3213048b5a2427a49997e6d522b4ccd1e379e7e851d9fca8956445f0be5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
Filesize
106KB

MD5
4529eaec52f07bb8ae82565fcca6230b

SHA1
8128fa1f711d470b23771e667f8e0186f3f7de23

SHA256
4693bc2843dabc0ff24acebe71c1c677d7575200bdbd25d724fbeeafb172aa4b

SHA512
fdb22b76f159a3bbdaaf293f50118f8b598bd0ea4798ddb79c0378f4c612a4ffeb45c69997e0c452a21b35f6ebe3415e448693e7e92d31b5b3608765049b3b39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
Filesize
240KB

MD5
b4bf81e502dd772381438a3993a4987d

SHA1
b6362b16b7e6f5bc632c79d40d81d367f8d1c92d

SHA256
1be897aba378687b7876f837639f6fc60b096b7c108165669912b656fec7a318

SHA512
92d52e49a1163540206e1896b9745fb3ad492e02b872792c97b0a2dbfd3ad210bd981e896a0243e50865d3acd6a86203317be711a03b0b5d12fe58230e397558

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
Filesize
240KB

MD5
67c4f226e5b0db68c64bb75cfc824490

SHA1
cbe3756fb90c1f7d3422f4df8425b4b3604a195b

SHA256
fef94a164af0f71f779ec1ac664ae949d4c4e1534eb2f782ad985e24796210af

SHA512
ee8136fd79092675850538fee01fa043006b699f96f6282784b7695efe90c28e8283f3d6686ed45fa3ec1e41f27831b3044ddafd29f664aff82167945830027a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
Filesize
240KB

MD5
36c7d30a69365da8e6beeb1e5fd11714

SHA1
aa4801a3fe7faa4a47aa7df1482da4c33bbf4515

SHA256
19e00c79d802d3b82be3a2a2b05b9342d60ddc5fb6619d6495f944d7110072ee

SHA512
875d159516c5ad884248298c18ff7a720d4765e3b7eeb30a23eabb5d1c1bb3a938a8772b0a720ed09088f05b31fbc7abf65ceb7c4d37f1b30a97720ca2589080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
Filesize
240KB

MD5
70923c80c3c2eec76fd48973fb53a27c

SHA1
18c8ef6634b1b5443906b906216c1512a92cb567

SHA256
a415691e66bf8101e2f0b3b411981ff3bb2cb91c019edc93a288b4d5709bca40

SHA512
192483280475cc10dbde1a0320f710a6ea3cd1e877b994182b64b829c2b9b4de3113abee54c1a9ea81a688ff812f6d332fed9554694d818958fc23d59f585db0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LFLWQ602\favicon[1].ico
Filesize
3B

MD5
8a80554c91d9fca8acb82f023de02f11

SHA1
5f36b2ea290645ee34d943220a14b54ee5ea5be5

SHA256
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

SHA512
ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LFTKP12M\butterflyondesktoplike[1].html
Filesize
33KB

MD5
19ab53aeadc05925465191c1b96c7b18

SHA1
911f28f5665e86acae4eadb9f52a17a4a6e440e4

SHA256
11298af4b15745fcb8488ac530e002479eb0008cb51863592db9bb2419442a96

SHA512
f92554816f57221416c33d714bea5aaa8c806ad3ae61ae0e39db6f8a63298a2601875c5af9b95a6706432b18946ecd5153f28161a6f8df5bacedc6c179d976ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDCAA.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA9F7.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\_R_E_A_D___T_H_I_S___JSDOLHFW_.hta
Filesize
109KB

MD5
37120e89f556eb86b74be40e0e4971a9

SHA1
a1930ee717909cd6d9d437ebec4449918393e7e9

SHA256
28633084a0306b585e05341971bfa1f929d4001d5700ae25e5f637ad8593db50

SHA512
3cd22445ee06dfdbfc0e27c3714f8572559de4a5f34ea31f1e1eb4745c5cb713db0d7ff99bd51f6eee233f4099cef1c0d9439cda975b55bd807793f8a4fbdf91

Download Submit
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\_R_E_A_D___T_H_I_S___JSDOLHFW_.hta
Filesize
75KB

MD5
d7f3164ba9cead5e3fe40dba2ec528e6

SHA1
54916e05a50752da1f3671c960cc759be2580452

SHA256
1e236128fd81f82c9ecfa6160eeb6d53955a69a2d206f17be175128d5a587cd2

SHA512
007965ff2ae2e68c2f0751cb647a6667b0f5dc6ec12901be7d143c827bc6afa69ef0ab0ae0eff279ebe6aae17315182ebb440ff8a919c7176c747fb62324eb36

Download Submit
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\_R_E_A_D___T_H_I_S___SKIVERP_.txt
Filesize
1KB

MD5
5617966aadc7561ac5ca95c8b825e51b

SHA1
bce4fdac3f675575a74b66a8a3a188f63bb37f4d

SHA256
f89133bc2ab97239e98c0f77ad436c424a020124441ebe453999b207c7952ae3

SHA512
db4cb32ed0c506a3b6c27f01d3139d921e583b2a1992258f9f2df5465322d7d86443d10bc8cafba05d513beaac87226d5521545c3743d70b94227f3440e35200

Download Submit
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\_R_E_A_D___T_H_I_S___OZQ3KO9I_.txt.8AA64E31B9728EC45611937923B3103590456B452D2BA8EA3EB5AD77D10833F8
Filesize
1KB

MD5
a3653485f9e5829ea0a247ca25fb9e03

SHA1
32eaed6c7e9b2b0e7d1f59244e586f96741e9f89

SHA256
bdbef8dce1022f0990cfd4b5656ca0d3d992c107e8afd4e71137bd31a1904e5e

SHA512
1380559453e868ea91d83b5c02e45d53b7c5f6be570bfd27ca24a75fadde3a06a2a4cd4164d15e7e2430474305b08ae3cd7ff1b533f93eaaab83f3d2eab238b0

Download Submit
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\_R_E_A_D___T_H_I_S___QCWV_.hta.8AA64E31B9728EC45611937923B3103590456B452D2BA8EA3EB5AD77D10833F8
Filesize
109KB

MD5
bdce936a963d0eee2abeb7b1b33b4f9c

SHA1
b3f7530b327f4dec5b09c34c1ff4d18111597b7b

SHA256
d20969a5cbe8a999a7abde8e6835d940a97acbfd509e225034400cb76b7959ee

SHA512
881842faf83fffbbca7604298d869aaf44a1d191566a8ca5fac6b0a0d8b3db5e32d41612f4de19da2ca216cd2987789551f539701119e272014f91d7b1a985bf

Download Submit
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Bolbi.vbs
Filesize
79KB

MD5
8b580dcb64fcfde1846f1cd2ba9a0369

SHA1
8346288dc6e1353e00bb2eae6cb4837bc1524d83

SHA256
d7056457b41fbaece410847fc441aa7e918127995b0078ea2b639d4eeeab468b

SHA512
1c863f71c9b093df3358f69ce42685773ff82c4eab9a9327e20a7c362e4073a9b5c6cebdc75946e4f1f351796e2db050038642f572959db2cdf497deaacb5b83

Download Submit
C:\Users\Admin\Documents\install.exe
Filesize
40KB

MD5
53f25f98742c5114eec23c6487af624c

SHA1
671af46401450d6ed9c0904402391640a1bddcc2

SHA256
7b5dec6a48ee2114c3056f4ccb6935f3e7418ef0b0bc4a58931f2c80fc94d705

SHA512
f460775308b34552c930c3f256cef1069b28421673d71e3fa2712b0467485861a98285925ae49f1adea1faf59265b964c873c12a3bb5de216122ac20084e1048

Download Submit
C:\Users\Admin\Documents\sweet.jpg
Filesize
23KB

MD5
58b1840b979ae31f23aa8eb3594d5c17

SHA1
6b28b8e047cee70c7fa42715c552ea13a5671bbb

SHA256
b2bb460aa299c6064e7fc947bff314e0f915c6ee6f8f700007129e3b6a314f47

SHA512
13548e5900bddc6797d573fcca24cec1f1eefa0662e9d07c4055a3899460f4e135e1c76197b57a49b452e61e201cb86d1960f3e8b00828a2d0031dc9aa78666a

Download Submit
C:\Windows\System32\Admin.vbs
Filesize
33KB

MD5
072064be230008bd05409acb795968b9

SHA1
1e72bc8b90313fd2ed302b9019f343f57b65035c

SHA256
5fb52bea225ec8039eca4a8b782eea9518b2e9c60c860d0903ae60fc51e5b24f

SHA512
af4d869f61517e2706001cb6b5ed65ebec700c81c574a37326083d61269d10377b675349c64839087673eec78f689a12ac5619ea8eb6f64ff54164cbc4af1eab

Download Submit
C:\v1.log
Filesize
657B

MD5
d916e41cdc040c6f05ff6e9eec97f36b

SHA1
1abbcb4ac6ba32fb9d34a863e6557c29cbb59a8c

SHA256
a1df6247df3c927f318248f8e4458d4f1ad1807d583ace31adb0ffc6e94daa6a

SHA512
0bb4766dff4c9f8da0aa7062ad07e54f750926bdf1bd5294eada1907cc1f0faab74c929242c90bf76ed0f8d8f5ff32cb23ae39db52464f682e0d2f33cbeb9fdb

Download Submit
C:\v1.log
Filesize
841B

MD5
1e0479c3ea56999e77ccef163fce008d

SHA1
23bff3a853282009c4043d7f20f559811829c562

SHA256
1bc9386a1a053e564905b3235a4dbe83459ed49116e1edde75c2be1c1dd5b0b5

SHA512
63372063b57fb0e3fe10c8099358b5e86f0ffe7ea3e72819344f28731a860e57941228b4ef7eed943d76b5f04629ad0e8d8b32e8d7aed9010c00d67671f06c12

Download Submit
C:\v1.log
Filesize
1KB

MD5
c7d373daac3914b8c5fe7ba49614acab

SHA1
38d735867a2ef9134c3dc67ef266ba1907120bca

SHA256
52979c7195fb17853256a8e8e619849f892f30a6b5e294e73925690fb4f164cc

SHA512
68c1e1e787b85ab1eb7d65bc11a88a92f4530fa13595f85fd2579ce70e7a0f13fabc0e7d91ae552ca7a51192045f3d3761bc08a705ffa4bc66b4f0601da8e53b

Download Submit
C:\v1.log
Filesize
151B

MD5
1000c2f29825d76617036b51fc607ae1

SHA1
7d108464d745d04a9aaf8239efaf425346d313aa

SHA256
1efe8f45ac5847bef2230a333d853d80be8a6526c9fa3bb5e5ce7eff402dc994

SHA512
df14e935e85693e2406b7b53b512a463a35d496b9854549642e7e826f9a334d63ba5c706accdadb25d868a66e4739e44fc83d62cb6abee7135796381a0653fe5

Download Submit
C:\v1.log
Filesize
395B

MD5
d139cc009dc7ce3b8a81474e25e3c469

SHA1
814765c85255af179a88826ef7122b7c2ad5244d

SHA256
9c2f52ff1df3bbb51a2559bc9e38e8cb402bfccbf51619b521b32b28ef2b29e3

SHA512
3cd6bbb35081f8f10e7da6bf4872c362e3bcf1117440578ed2d9b48515e7641af7d327326a7b9c2baaab1175006c1a2d6310224e490b695605e703446dfddb14

Download Submit
\??\f:\0m1a2n3t4a7s8.jpg
Filesize
24KB

MD5
4fae33b312fd2dcf71986e573d95fc6e

SHA1
7fd49352a7fd6387a7d311b95f60c85e6e73b793

SHA256
0fcefca2eda80b3e30cf35c73125292309ca931db74a194cff2d0fa0b075eb3f

SHA512
a553b856a1a35df7990b0cdc66bd832df8ca638ab229e4dfb26c2c13cdcdae4d09713709eaf21b5ad66b61260476e8373eabb6b0b8bec6fd84b77959f7dfb834

Download Submit
\??\f:\admin.vbs
Filesize
33KB

MD5
e76c9807696c037f615403e35e92f733

SHA1
0f60aa65d290bf59f721a416b852fb4fa1724135

SHA256
64bd9056010371a93f9ada4208ff6fe80fe93a93c823c612c10edbb4b17a9696

SHA512
5bbc4f0eff303e308d1f821a3da82903b26e0ec11657f0f7928fcea7f34c4b8481344ca18940c5869cbbfc4edf2021a167472a443bac338a5a91269193a71590

Download Submit
\??\pipe\crashpad_1320_YSEDKKIWMDIZMBFH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files (x86)\Butterfly on Desktop\unins000.exe
Filesize
701KB

MD5
6883b57c1a2eafa8456a0f8c0b1f1201

SHA1
6c2e40cd9dce3376f28aee8c2ffd14112d98ff76

SHA256
9be228ead14353c5b2f22575091f491ccfc23622030d205f095ffea0b2f79afe

SHA512
e1c4fb3810dfb39439c9f402f74c2f88178cdc28c65134d42215870671403d530bd08cbe03662b18c19f29915f3644935fa8fe32ae60dbd83cee87e769d15f0b

Download Submit
\Users\Admin\AppData\Local\Temp\is-5I7JS.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-PRFGT.tmp\butterflyondesktop.tmp
Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
memory/320-17-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/320-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/320-98-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/320-88-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/320-79-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/444-16986-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/444-1636-0x00000000001D0000-0x0000000000201000-memory.dmp

Filesize
196KB

Download
memory/444-1637-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/704-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/704-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/704-99-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/704-16-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1120-1297-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1164-6422-0x000000000ACA0000-0x000000000ACD4000-memory.dmp

Filesize
208KB

Download
memory/1164-1634-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1356-270-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1356-257-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1588-1289-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1596-364-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1596-1128-0x0000000051000000-0x0000000051064000-memory.dmp

Filesize
400KB

Download
memory/1756-239-0x0000000000210000-0x0000000000282000-memory.dmp

Filesize
456KB

Download
memory/1756-240-0x0000000073740000-0x0000000073E2E000-memory.dmp

Filesize
6.9MB

Download
memory/1756-241-0x0000000000550000-0x0000000000590000-memory.dmp

Filesize
256KB

Download
memory/1756-242-0x0000000000670000-0x000000000067A000-memory.dmp

Filesize
40KB

Download
memory/1756-243-0x0000000073740000-0x0000000073E2E000-memory.dmp

Filesize
6.9MB

Download
memory/1888-1293-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1940-267-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1940-255-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1956-273-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2084-272-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2084-258-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2144-245-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2144-232-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2144-94-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2144-1144-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2144-230-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2144-260-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2144-248-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2144-246-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2144-231-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2144-244-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2144-233-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2144-275-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2144-238-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2216-263-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2216-251-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2336-1295-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2372-1296-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2428-254-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2428-266-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2484-256-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2484-268-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2572-1290-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2584-271-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2592-247-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2592-259-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2656-1299-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2672-265-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2672-253-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2732-264-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2732-252-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2748-262-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2748-250-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2764-1594-0x000000007161D000-0x0000000071628000-memory.dmp

Filesize
44KB

Download
memory/2764-1481-0x0000000069AC1000-0x0000000069AC2000-memory.dmp

Filesize
4KB

Download
memory/2764-1394-0x000000007161D000-0x0000000071628000-memory.dmp

Filesize
44KB

Download
memory/2784-1294-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2784-1338-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2840-261-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2840-249-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2928-269-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3008-1586-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/3008-1352-0x000000007161D000-0x0000000071628000-memory.dmp

Filesize
44KB

Download
memory/3008-1370-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/3008-1350-0x000000002FB81000-0x000000002FB82000-memory.dmp

Filesize
4KB

Download
memory/3008-1573-0x000000007161D000-0x0000000071628000-memory.dmp

Filesize
44KB

Download
memory/3012-1292-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3040-376-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3040-1043-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3556-26745-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5416-26739-0x0000000001EA0000-0x0000000001F6E000-memory.dmp

Filesize
824KB

Download
memory/5416-26740-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/7244-11166-0x00000000011F0000-0x000000000122C000-memory.dmp

Filesize
240KB

Download
memory/7244-26726-0x0000000004D25000-0x0000000004D5D000-memory.dmp

Filesize
224KB

Download
memory/7244-26727-0x0000000068780000-0x0000000068E6E000-memory.dmp

Filesize
6.9MB

Download