Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 15:40
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
Resource
win10v2004-20240426-en
General
-
Target
VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
-
Size
392KB
-
MD5
6653ef20d2a3a6ef656d9c886ebabd93
-
SHA1
bb0cc0b05bb70a3d347faa94fb36a35c771b0692
-
SHA256
48ff838a7fe98ec2c5bb59a8a76100047abcfa6db824f4982b8e7fdf2110f05d
-
SHA512
b68b37147ce0d1389d62f5f72ebb616edc7d2ed2aaa484e85f6dc4b6070c9ce973a523e11e311686dc0efb0757fe52dcfa430afb1f48f98ecfdc257c6f3cc360
-
SSDEEP
3072:viHZTdn6oWzjNtxPPnGau7GMuOYHAifZEeKPi6u7KzrN7ivE5oY4KppRsqYaefiU:QZqPtvGauSM4HAifkGOzrN+HKkalM
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.xlfp45.win/2AD1-7E73-D387-0291-964F
http://cerberhhyed5frqa.slr849.win/2AD1-7E73-D387-0291-964F
http://cerberhhyed5frqa.ret5kr.win/2AD1-7E73-D387-0291-964F
http://cerberhhyed5frqa.zgf48j.win/2AD1-7E73-D387-0291-964F
http://cerberhhyed5frqa.xltnet.win/2AD1-7E73-D387-0291-964F
http://cerberhhyed5frqa.onion/2AD1-7E73-D387-0291-964F
Extracted
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16398) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exeByteCodeGenerator.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\ByteCodeGenerator.exe\"" VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\ByteCodeGenerator.exe\"" ByteCodeGenerator.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ByteCodeGenerator.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation ByteCodeGenerator.exe -
Drops startup file 2 IoCs
Processes:
VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exeByteCodeGenerator.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ByteCodeGenerator.lnk VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ByteCodeGenerator.lnk ByteCodeGenerator.exe -
Executes dropped EXE 1 IoCs
Processes:
ByteCodeGenerator.exepid process 376 ByteCodeGenerator.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exeByteCodeGenerator.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ByteCodeGenerator = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\ByteCodeGenerator.exe\"" VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ByteCodeGenerator = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\ByteCodeGenerator.exe\"" ByteCodeGenerator.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ByteCodeGenerator = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\ByteCodeGenerator.exe\"" ByteCodeGenerator.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ByteCodeGenerator = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\ByteCodeGenerator.exe\"" VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
ByteCodeGenerator.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp8BFF.bmp" ByteCodeGenerator.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3688 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1836 taskkill.exe 316 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exeByteCodeGenerator.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\ByteCodeGenerator.exe\"" VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop ByteCodeGenerator.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\ByteCodeGenerator.exe\"" ByteCodeGenerator.exe -
Modifies registry class 1 IoCs
Processes:
ByteCodeGenerator.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings ByteCodeGenerator.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
ByteCodeGenerator.exemsedge.exemsedge.exeidentity_helper.exepid process 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 376 ByteCodeGenerator.exe 4436 msedge.exe 4436 msedge.exe 2196 msedge.exe 2196 msedge.exe 2904 identity_helper.exe 2904 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exeByteCodeGenerator.exetaskkill.exevssvc.exewmic.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 4580 VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe Token: SeDebugPrivilege 376 ByteCodeGenerator.exe Token: SeDebugPrivilege 1836 taskkill.exe Token: SeBackupPrivilege 4428 vssvc.exe Token: SeRestorePrivilege 4428 vssvc.exe Token: SeAuditPrivilege 4428 vssvc.exe Token: SeIncreaseQuotaPrivilege 1576 wmic.exe Token: SeSecurityPrivilege 1576 wmic.exe Token: SeTakeOwnershipPrivilege 1576 wmic.exe Token: SeLoadDriverPrivilege 1576 wmic.exe Token: SeSystemProfilePrivilege 1576 wmic.exe Token: SeSystemtimePrivilege 1576 wmic.exe Token: SeProfSingleProcessPrivilege 1576 wmic.exe Token: SeIncBasePriorityPrivilege 1576 wmic.exe Token: SeCreatePagefilePrivilege 1576 wmic.exe Token: SeBackupPrivilege 1576 wmic.exe Token: SeRestorePrivilege 1576 wmic.exe Token: SeShutdownPrivilege 1576 wmic.exe Token: SeDebugPrivilege 1576 wmic.exe Token: SeSystemEnvironmentPrivilege 1576 wmic.exe Token: SeRemoteShutdownPrivilege 1576 wmic.exe Token: SeUndockPrivilege 1576 wmic.exe Token: SeManageVolumePrivilege 1576 wmic.exe Token: 33 1576 wmic.exe Token: 34 1576 wmic.exe Token: 35 1576 wmic.exe Token: 36 1576 wmic.exe Token: SeIncreaseQuotaPrivilege 1576 wmic.exe Token: SeSecurityPrivilege 1576 wmic.exe Token: SeTakeOwnershipPrivilege 1576 wmic.exe Token: SeLoadDriverPrivilege 1576 wmic.exe Token: SeSystemProfilePrivilege 1576 wmic.exe Token: SeSystemtimePrivilege 1576 wmic.exe Token: SeProfSingleProcessPrivilege 1576 wmic.exe Token: SeIncBasePriorityPrivilege 1576 wmic.exe Token: SeCreatePagefilePrivilege 1576 wmic.exe Token: SeBackupPrivilege 1576 wmic.exe Token: SeRestorePrivilege 1576 wmic.exe Token: SeShutdownPrivilege 1576 wmic.exe Token: SeDebugPrivilege 1576 wmic.exe Token: SeSystemEnvironmentPrivilege 1576 wmic.exe Token: SeRemoteShutdownPrivilege 1576 wmic.exe Token: SeUndockPrivilege 1576 wmic.exe Token: SeManageVolumePrivilege 1576 wmic.exe Token: 33 1576 wmic.exe Token: 34 1576 wmic.exe Token: 35 1576 wmic.exe Token: 36 1576 wmic.exe Token: 33 392 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 392 AUDIODG.EXE Token: SeDebugPrivilege 316 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe 2196 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exeByteCodeGenerator.execmd.exemsedge.exedescription pid process target process PID 4580 wrote to memory of 376 4580 VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe ByteCodeGenerator.exe PID 4580 wrote to memory of 376 4580 VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe ByteCodeGenerator.exe PID 4580 wrote to memory of 376 4580 VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe ByteCodeGenerator.exe PID 4580 wrote to memory of 2376 4580 VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe cmd.exe PID 4580 wrote to memory of 2376 4580 VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe cmd.exe PID 4580 wrote to memory of 2376 4580 VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe cmd.exe PID 376 wrote to memory of 3688 376 ByteCodeGenerator.exe vssadmin.exe PID 376 wrote to memory of 3688 376 ByteCodeGenerator.exe vssadmin.exe PID 2376 wrote to memory of 1836 2376 cmd.exe taskkill.exe PID 2376 wrote to memory of 1836 2376 cmd.exe taskkill.exe PID 2376 wrote to memory of 1836 2376 cmd.exe taskkill.exe PID 2376 wrote to memory of 616 2376 cmd.exe PING.EXE PID 2376 wrote to memory of 616 2376 cmd.exe PING.EXE PID 2376 wrote to memory of 616 2376 cmd.exe PING.EXE PID 376 wrote to memory of 1576 376 ByteCodeGenerator.exe wmic.exe PID 376 wrote to memory of 1576 376 ByteCodeGenerator.exe wmic.exe PID 376 wrote to memory of 2196 376 ByteCodeGenerator.exe msedge.exe PID 376 wrote to memory of 2196 376 ByteCodeGenerator.exe msedge.exe PID 2196 wrote to memory of 1492 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 1492 2196 msedge.exe msedge.exe PID 376 wrote to memory of 2304 376 ByteCodeGenerator.exe NOTEPAD.EXE PID 376 wrote to memory of 2304 376 ByteCodeGenerator.exe NOTEPAD.EXE PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4288 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4436 2196 msedge.exe msedge.exe PID 2196 wrote to memory of 4436 2196 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\ByteCodeGenerator.exe"C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\ByteCodeGenerator.exe"2⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3f4c46f8,0x7ffe3f4c4708,0x7ffe3f4c47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,8004443124789842395,3928219365156001817,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,8004443124789842395,3928219365156001817,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,8004443124789842395,3928219365156001817,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8004443124789842395,3928219365156001817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8004443124789842395,3928219365156001817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8004443124789842395,3928219365156001817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8004443124789842395,3928219365156001817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8004443124789842395,3928219365156001817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,8004443124789842395,3928219365156001817,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,8004443124789842395,3928219365156001817,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8004443124789842395,3928219365156001817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8004443124789842395,3928219365156001817,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8004443124789842395,3928219365156001817,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8004443124789842395,3928219365156001817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8004443124789842395,3928219365156001817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2252 /prefetch:14⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.xlfp45.win/2AD1-7E73-D387-0291-964F3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3f4c46f8,0x7ffe3f4c4708,0x7ffe3f4c47184⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "ByteCodeGenerator.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\ByteCodeGenerator.exe" > NUL3⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "ByteCodeGenerator.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x510 0x5041⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.urlFilesize
85B
MD5ba1f1f972a2535310c26257bb3b29cb1
SHA1b7fe9a2304efe14f41ae820bee4bab10f6d83d9b
SHA2568dc7a6cba76102e6979fe26d99ff83ce51ff7ed96cfe425996212720cea13a25
SHA512cdfbd6b4a82e54cc73a5d5d1516e22d7fb1bc8b945864adf82101702b05f98cedbb52802200f8e2c8041f09a6ce7a00eff2b3a976b7b7a99bdb554f2bd690ab2
-
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.vbsFilesize
219B
MD535a3e3b45dcfc1e6c4fd4a160873a0d1
SHA1a0bcc855f2b75d82cbaae3a8710f816956e94b37
SHA2568ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934
SHA5126d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ecdc2754d7d2ae862272153aa9b9ca6e
SHA1c19bed1c6e1c998b9fa93298639ad7961339147d
SHA256a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7
SHA512cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD52daa93382bba07cbc40af372d30ec576
SHA1c5e709dc3e2e4df2ff841fbde3e30170e7428a94
SHA2561826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30
SHA51265635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a167bc6a7334ad22197ec2af4074970f
SHA1a440a8b4e8ae9e7c57c68c89b43469a108457bdc
SHA256774e87583c05ad36613b3cefc8e934df5e4e0aff29bfd1115f217cc5b3261e09
SHA512d1455df285c43aeea71936e10685b44594394ff4e475571dc0f2669c43efe4b51355439a563458b42a4cd32114250ec794d8ee3cd2c8b8036ada2274df1a4b9f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5aae3dbe4efb9d08a3a6957f8f24a4407
SHA12607701832ec7e5957bd829255f347248f9a588a
SHA256d9f7c637635fd8ef05c418dd8ede5c66b7f8235cd7be21f19fe93f440f8b03d3
SHA51296c241a08c69c0afdfca8c1328b9df0f90d0a4fcef5ea84d67b6aafebd78e4ade519b2a4c592a7c2f11ffbaae6d14e889431aef4e7d57c7237c7b83d5e499c21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD586d4e3d8bdec8835fccfdfbb4c952e56
SHA119d57bec54267cabbd8ed1f97246c6e384841c2c
SHA256c170aa7e7bbd261d92a1658733400833dd574d5511d55027e9c8e14990cbaaa3
SHA5123a869c68fa32daf72d9c200c6cc6203ce7146f2fb8e224501e45310cc1152dce71e332c0653bea9644243a3a0c4dcbfcb4c25085bc8ecc63390aee7114727df6
-
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.htmlFilesize
12KB
MD54d3197ee299cda1c2d651ab9678460fe
SHA18925506acd2e9625348fdbc00c22df51a85fee2a
SHA25646b28af77876025f58f3e49eda71115ff688c284a85d99db669e84b5dd2e39ca
SHA512e60dad0a8e9dc5a5d8aea54dcb9db8a5410c4924b74a508135890cbf397127b167a3110ddc353553b21bb128d82569e77bf9debeecefa9d281f2e2faae8cd3a2
-
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.txtFilesize
10KB
MD5aaaa744536300f088ef4efbd7a783ac7
SHA147c55ef85ae4e5e074bb3e5596bf2d23151e41f3
SHA256d44cb7070883930b090562d8c991a991ead58c824494838b2280fd4b5afb6a89
SHA512590a5d4a36bf408b315e7c576955d34fc348a4995b703992cebe62193258c8d66c7f253d247a6499816348d19f7ca1c653acb5c8e736295010108d01f8e95f0f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ByteCodeGenerator.lnkFilesize
1KB
MD55565935b2385d07f932c70968dfb5763
SHA19f56f66447a34cc8a54d322c628ba93882365034
SHA25670da25288446580411e4268ffd150843e279d9c539d1e6add8692eab04d320fe
SHA5124c335bf483b126008ca119671b136813095072e62e04ace3b795996bd359d5c9b82317e3ae1425a7b87db2fd87618a6db43898466f699ab6df745a60a1462cc6
-
C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\ByteCodeGenerator.exeFilesize
392KB
MD56653ef20d2a3a6ef656d9c886ebabd93
SHA1bb0cc0b05bb70a3d347faa94fb36a35c771b0692
SHA25648ff838a7fe98ec2c5bb59a8a76100047abcfa6db824f4982b8e7fdf2110f05d
SHA512b68b37147ce0d1389d62f5f72ebb616edc7d2ed2aaa484e85f6dc4b6070c9ce973a523e11e311686dc0efb0757fe52dcfa430afb1f48f98ecfdc257c6f3cc360
-
\??\pipe\LOCAL\crashpad_2196_RHTDXGLTATTYZVMXMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/376-303-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/376-289-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/376-29-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/376-22-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/376-280-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/376-394-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/376-308-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/376-299-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/376-295-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/376-294-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/376-290-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/376-30-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/376-270-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/376-264-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/376-313-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/376-21-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/376-11-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/376-14-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/376-10-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/4580-12-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4580-2-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4580-1-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4580-0-0x0000000000710000-0x000000000072F000-memory.dmpFilesize
124KB