cerber | 27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

Analysis

max time kernel
130s
max time network
131s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Size

186KB
MD5

8ec363843a850f67ebad036bb4d18efd
SHA1

ac856eb04ca1665b10bed5a1757f193ff56aca02
SHA256

27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8
SHA512

800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684
SSDEEP

3072:TFFzdn1bwoWwW8BplOd4G5ts0RTy/L1yib5icNisjx3jUiXy:TFFzvwoWw3BXOdl5Ts1yw0s13jU5

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.zmvirj.top/A026-A063-B6FC-029E-D700 | | 2. http://cerberhhyed5frqa.qor499.top/A026-A063-B6FC-029E-D700 | | 3. http://cerberhhyed5frqa.gkfit9.win/A026-A063-B6FC-029E-D700 | | 4. http://cerberhhyed5frqa.305iot.win/A026-A063-B6FC-029E-D700 | | 5. http://cerberhhyed5frqa.dkrti5.win/A026-A063-B6FC-029E-D700 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/A026-A063-B6FC-029E-D700); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.zmvirj.top/A026-A063-B6FC-029E-D700 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/A026-A063-B6FC-029E-D700); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/A026-A063-B6FC-029E-D700 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.zmvirj.top/A026-A063-B6FC-029E-D700

http://cerberhhyed5frqa.qor499.top/A026-A063-B6FC-029E-D700

http://cerberhhyed5frqa.gkfit9.win/A026-A063-B6FC-029E-D700

http://cerberhhyed5frqa.305iot.win/A026-A063-B6FC-029E-D700

http://cerberhhyed5frqa.dkrti5.win/A026-A063-B6FC-029E-D700

http://cerberhhyed5frqa.onion/A026-A063-B6FC-029E-D700

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.zmvirj.top/A026-A063-B6FC-029E-D700" target="_blank">http://cerberhhyed5frqa.zmvirj.top/A026-A063-B6FC-029E-D700</a></li> <li><a href="http://cerberhhyed5frqa.qor499.top/A026-A063-B6FC-029E-D700" target="_blank">http://cerberhhyed5frqa.qor499.top/A026-A063-B6FC-029E-D700</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/A026-A063-B6FC-029E-D700" target="_blank">http://cerberhhyed5frqa.gkfit9.win/A026-A063-B6FC-029E-D700</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/A026-A063-B6FC-029E-D700" target="_blank">http://cerberhhyed5frqa.305iot.win/A026-A063-B6FC-029E-D700</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/A026-A063-B6FC-029E-D700" target="_blank">http://cerberhhyed5frqa.dkrti5.win/A026-A063-B6FC-029E-D700</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/A026-A063-B6FC-029E-D700" target="_blank">http://cerberhhyed5frqa.zmvirj.top/A026-A063-B6FC-029E-D700</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.zmvirj.top/A026-A063-B6FC-029E-D700" target="_blank">http://cerberhhyed5frqa.zmvirj.top/A026-A063-B6FC-029E-D700</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/A026-A063-B6FC-029E-D700" target="_blank">http://cerberhhyed5frqa.zmvirj.top/A026-A063-B6FC-029E-D700</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/A026-A063-B6FC-029E-D700 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16390) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\compact.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\compact.exe\""	compact.exe

Deletes itself 1 IoCs

pid	Process
3048	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\compact.lnk	compact.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\compact.lnk	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe

Executes dropped EXE 2 IoCs

pid	Process
2112	compact.exe
2812	compact.exe

Loads dropped DLL 2 IoCs

pid	Process
836	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
2112	compact.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\compact = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\compact.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\compact = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\compact.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\compact = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\compact.exe\""	compact.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\compact = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\compact.exe\""	compact.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	compact.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp1870.bmp"	compact.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2656	taskkill.exe
2740	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\compact.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop	compact.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\compact.exe\""	compact.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A17D0CE1-20E7-11EF-8D12-66A5A0AB388F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A18B5521-20E7-11EF-8D12-66A5A0AB388F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0dd4c64f4b4da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423498336"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000002a49fce4088f92afef487c669f2dd0dcc69b18cde9728ede96cec8374eba8b31000000000e8000000002000020000000f1900dfa7ccaed9b6482edee480beacff106a8150389728387550ccef8ae962a90000000407e28c926df84bb50bd2d8bac6c5519d9b12d3a49599bea6412d4baa587452ccfcc5dee1ffb70836052c8fb7bae8e0c160129c7453894559bf38d660090ae847773bef8635283c1c7658f8a185cacc26c1c4d5d75c96e82e95624cd0666e538afd534e52264332111b1f8e000b61252651810dfa5151e9199dee6dda64fd2658eeac10e24bdd6137d8553945460dba7400000007e3819d19b5198398f4f3332ee64cd3b7944c8aa2fb517aa7f660a2c5ed9d113c51d1a4641e50ccc41e61346a37f3f3f8ae46b4735b0059d9944f9e598cfd4c7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000005c264b3a29e13da8a65b5592442254f5cc7adab8e0e5de7094df1d6cf141b664000000000e800000000200002000000059f0ac58656c53c2b0da250c580514822d05fd88cd3711e695a7e2864dd901cc20000000747679aaf9bbd48fa9ea3033c0901abb00a666c29de608a42d1edb5c1970c8804000000053a0feb7ff864191687e296a1f60225d557f30b719e28be3a33cc3f6baf4583f32a43744d5e53abea1aeeb54d9b429e95b44a4551e1edb79d76545541de563df	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2548	PING.EXE
2544	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe
2112	compact.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	836	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Token: SeDebugPrivilege	2112	compact.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	2812	compact.exe
Token: SeDebugPrivilege	2740	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1000	iexplore.exe
448	iexplore.exe
448	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
448	iexplore.exe
448	iexplore.exe
1000	iexplore.exe
1000	iexplore.exe
448	iexplore.exe
448	iexplore.exe
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE
1896	IEXPLORE.EXE
1896	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
836	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
2112	compact.exe
2812	compact.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 2112	836	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 836 wrote to memory of 2112	836	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 836 wrote to memory of 2112	836	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 836 wrote to memory of 2112	836	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 836 wrote to memory of 3048	836	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 836 wrote to memory of 3048	836	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 836 wrote to memory of 3048	836	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 836 wrote to memory of 3048	836	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 3048 wrote to memory of 2656	3048	cmd.exe	31
PID 3048 wrote to memory of 2656	3048	cmd.exe	31
PID 3048 wrote to memory of 2656	3048	cmd.exe	31
PID 3048 wrote to memory of 2656	3048	cmd.exe	31
PID 3048 wrote to memory of 2548	3048	cmd.exe	33
PID 3048 wrote to memory of 2548	3048	cmd.exe	33
PID 3048 wrote to memory of 2548	3048	cmd.exe	33
PID 3048 wrote to memory of 2548	3048	cmd.exe	33
PID 2688 wrote to memory of 2812	2688	taskeng.exe	36
PID 2688 wrote to memory of 2812	2688	taskeng.exe	36
PID 2688 wrote to memory of 2812	2688	taskeng.exe	36
PID 2688 wrote to memory of 2812	2688	taskeng.exe	36
PID 2112 wrote to memory of 448	2112	compact.exe	39
PID 2112 wrote to memory of 448	2112	compact.exe	39
PID 2112 wrote to memory of 448	2112	compact.exe	39
PID 2112 wrote to memory of 448	2112	compact.exe	39
PID 2112 wrote to memory of 2348	2112	compact.exe	40
PID 2112 wrote to memory of 2348	2112	compact.exe	40
PID 2112 wrote to memory of 2348	2112	compact.exe	40
PID 2112 wrote to memory of 2348	2112	compact.exe	40
PID 448 wrote to memory of 1780	448	iexplore.exe	42
PID 448 wrote to memory of 1780	448	iexplore.exe	42
PID 448 wrote to memory of 1780	448	iexplore.exe	42
PID 448 wrote to memory of 1780	448	iexplore.exe	42
PID 1000 wrote to memory of 1896	1000	iexplore.exe	43
PID 1000 wrote to memory of 1896	1000	iexplore.exe	43
PID 1000 wrote to memory of 1896	1000	iexplore.exe	43
PID 1000 wrote to memory of 1896	1000	iexplore.exe	43
PID 448 wrote to memory of 3016	448	iexplore.exe	44
PID 448 wrote to memory of 3016	448	iexplore.exe	44
PID 448 wrote to memory of 3016	448	iexplore.exe	44
PID 448 wrote to memory of 3016	448	iexplore.exe	44
PID 2112 wrote to memory of 2120	2112	compact.exe	45
PID 2112 wrote to memory of 2120	2112	compact.exe	45
PID 2112 wrote to memory of 2120	2112	compact.exe	45
PID 2112 wrote to memory of 2120	2112	compact.exe	45
PID 2112 wrote to memory of 2612	2112	compact.exe	48
PID 2112 wrote to memory of 2612	2112	compact.exe	48
PID 2112 wrote to memory of 2612	2112	compact.exe	48
PID 2112 wrote to memory of 2612	2112	compact.exe	48
PID 2612 wrote to memory of 2740	2612	cmd.exe	50
PID 2612 wrote to memory of 2740	2612	cmd.exe	50
PID 2612 wrote to memory of 2740	2612	cmd.exe	50
PID 2612 wrote to memory of 2544	2612	cmd.exe	52
PID 2612 wrote to memory of 2544	2612	cmd.exe	52
PID 2612 wrote to memory of 2544	2612	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\compact.exe
  "C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\compact.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:448 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1780
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:448 CREDAT:537601 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3016
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:2348
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:2120
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "compact.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\compact.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "compact.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2740
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2544
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2548

C:\Windows\system32\taskeng.exe
taskeng.exe {3CAE3E55-C679-4095-8C97-94B09D36BA49} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\compact.exe
  C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\compact.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:2812

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1000 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1896

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
f585c40026886ffcfea1abef05c01388

SHA1
a0ee4a2d0480dbfdef1d89e808f8c11ee12e2958

SHA256
39afa0c047415ba8969692b8f8afc0cd9f3a3f01f0cbec3ac42bf6ef2116626a

SHA512
56bd98c828351fedd7ca481e48a4002ed7e81a8bc463c07c7aa1ab7ffa36164170b76cfc46a5fd66cc53d49e0b6ae93c81fc7f11670ba2437bea10899bbd1fb7

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
b90ec027b09feaa74179020d04bb2321

SHA1
0a5542c74f79163ff4f3db5e25640fde8cbff551

SHA256
df8cdc2fd9b8d3fd9fef1804612dfc171c37a2af999b669a97c2d2decedf1a63

SHA512
6b7d69395951fdf7f90f7be5309c9000fcdc29869feb1707c0221a1db462087d4c52643fb91c1dbe1f1adee61cffe0ef7ae652030bb8173f8ce052a03c9190d7

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.url

Filesize
85B

MD5
2a7fd45074ddffc2581bd1a017e94ea7

SHA1
ab685c12eed11af7254a3c5c9666d3d0b96f2f8c

SHA256
cbfe6a2ddf0216cf0b7c2eabf8de55b804dd8f8ac4bc485647590be4969211ff

SHA512
854800d8430dd348befa429a65564eb441ba0a4ba9d1409307cbcd87952eb8268656015e5d5cf6c7357ff1dd9e64f4229071275f72319f2511c456eb133026d5

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.vbs

Filesize
225B

MD5
f6d629f2a4c0815f005230185bd892fe

SHA1
1572070cf8773883a6fd5f5d1eb51ec724bbf708

SHA256
ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f

SHA512
b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e99ff98b749947494c7196116987fa37

SHA1
5a31145bd6fc46c47e305c93afa56dfe362c40cf

SHA256
a8a632784cfcf84db96c72e0e008c8d75c6e0603a5e75954ea21cc130f6c787c

SHA512
15b3023eedc84a9c3d55c8e9afc393ed6cb26f5432e7a299f2a452db8bf0116cc460702345a8980ffe21e27a79a601fc212bacb0b59bf65a27ff2b4d69363a76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c84dc777f1bccc714f6cec199bc5b56b

SHA1
49e0771d5d80920421c1ee53fcdf8e08792b30e3

SHA256
6d85c18bb1d0e85d876ef0743f1feb632ec07cf2d8b24a2e6dde10e8d3a4f15e

SHA512
a6faa72f01664e29c59405a5be076caff0140005d1753c0cdeabb76c18f801d3e894961637ed63cb1a5211e396292470fbd504224eabc92248488bffb7a577a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f52baa9b0e3d85d5e05341d19883eb1e

SHA1
00fe2d3af588d2afc22a5dbe2aacb53bb17845e8

SHA256
14c62a7da28d9ebd1a07e0a01c16767cfd85d34f539e26fa45b7d27125c20562

SHA512
bfef8dbca878c2d7edf23c5c62737f381a57db5d76109f1202d75f56c209e4350ab099577951d947852e461ac5f5f0f756d50b44c96dbef92ac5b3941fb05708

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d885e740368bb680aa9697bd86e6fa3

SHA1
b11c15fed3b6a62e1f72a2641c6115d5ed77fff8

SHA256
685f8a0cc7ae2e636456b106c27ea4a3dbcc70899fc105630ad43daec182c88f

SHA512
1f38e9e553b4668f3e3ab6c9fd07a45463b6cd1f1197c52fdce820e3f50f13ad373e3317a151ce078c514f9db734a3d92708cba141e71e3a6c92fbfcf3277f5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbdca067696586523a9ef8bfb3b8da41

SHA1
425ec4a0478d0a8572c8e3de815d5c045f95e1bb

SHA256
abc0ab687c82eb496abfd12eb27ac52124ba1afa9f63f9a99f7e74ba9b85bc55

SHA512
c5fdb6a964efaab80b3beea2ce10b1c3111b9568ebef45d9bf49e4f7dc7f1d76c95e5c4a86a211c6b0df794e78982767260dfcb43a69310dcb3debf7b25ecf1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76d9a40d341953cf1562443efc65faa7

SHA1
d3ea468c0fed5282fc4d3545701f69af3d141b5b

SHA256
3b5def07fccbe50f9cfe1926080757c1537bcbb9faff44ecb8a462fe9b080925

SHA512
7579c090ae3423b5aa5d776c645dbc2aa90d79f763368723d50c4882548ab2becc3993c0a95543abaf750cd2faa4ad9d755c5e134d08194145341770e30b2961

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02aafad408da3c27dc1a03f15bb93f0c

SHA1
e7ea6eef2640282015aa926eb5941d1eb8bdf05c

SHA256
e64c1f3b0801f33e902d93404abc4031f4b450c7a6e93d309d9d9e552b0f50c0

SHA512
4d99e356c2c0c866135adc5a4c27641a0ac87f700b7e247d8045250b1e41b5530f9d47e6fba21a943821a20a295b3557ea0fbe7cd817dd82badf03d6bdf74821

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6acfb5a3e603be5694ca3b19785416e6

SHA1
6214712796a4edfe290e244a5d415b189b517c53

SHA256
8aa91ba45f1721c5ca867be9306222506ef42f559a33777003d80b885b69000c

SHA512
2f7f647b1e1adeefcd36b8d2dc62cd6b4705e391c45e1b474274de2311ad0e81d339cfa7d72798aba7869d5eb518a3e49a59181e00a5db732d3811a55e7685c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39e2a7d05f3f57181ab9de41faca4122

SHA1
ac8243c0e90fb12dee4a0aa382162675ead23d25

SHA256
9745e539da77d6043e628f99edf3686508d986c65b5a61bc8404c9fe28a28763

SHA512
17e945dbd49f20f34edbd7bf2c2be83ad4fb510e49c707b66007ccdca75bc388e3733cbf955e429f1fe85cec3fcbeb564719f794e352add473ffa2b19258131d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f687796d8e01d3e7d1a2ca63ccd24a9

SHA1
e0cd8c03610fb04b4e7d72a25cdae004bc25d8bf

SHA256
9094b40aede9dce63d346229866ec3f045a609e9722e9cba48e9181ebc9c8e13

SHA512
4fe617d4934a6477f283a6db42461ab5190e550bff58200b2f7da6388fa84eb04793b153fb3b254371e6d1ff96a9b769e988d168dba8b229ca72ac84187c0343

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41d85a2ae7a214fb9803b1925b2b41bb

SHA1
cc9f2b961b9c98062dfbdb7b018faf58eb2c27c5

SHA256
7795ca9d2e9eba7a83853c410223fa97b7069c97814c08e945c0cfd2d27410be

SHA512
01ec60a82ea32702b41fa474965221895bb7453bc542f12062a9354769327c3b65f7a53bac93b7a72dc7d4081a49d4efcfa23cf5752b7a6641a9adb50d961cb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea6b319c909b68442a982ba70dd2e496

SHA1
8c459876a100c1e94819a5003cedce36eda6b36f

SHA256
b904697ae3b4388192bd5dd7328fd23e226d8c89edcebd4ab2fddc35008757ef

SHA512
5f889657d741589478a3f9e7d3f606ea1e34ba8414d06aad04b0cd14b28facf8cb3ea831808704ae75383009180f94bb6bc5f180dbbcffca876b3e762dfb4735

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4612790c62f752333a096347b2ff2f72

SHA1
c521d6759dfcf1a7a6b8256cfd2377d53831e40d

SHA256
603a0295cb40d1200a33ca460665c43802315c04096a28aae3f5e1f507a913a6

SHA512
1acc488c60ab62d54b9a22cac22953af21ad5d23204ccbf8444d7344ac51614058800ba06f456ff9812bd493f1007a4b80e897cf1c22726f86f2d3262ebb7a73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9fa08f0b339fa3420af33bacecb0bad

SHA1
99fc87bc418b731174a8df354f0de10fab800477

SHA256
7e3e9cefb2674a6b6c94ad833e7a818c71ea2170cfbb0d8f61c8038340220e8a

SHA512
858bb66b660e2434b2f5dcbd1f42b42d2f2e247b1dac609534fd19b8ab6b503b6f501f461cc7c8482218cf01b3b6b1c31a1182ee84349ae836c30cc7bc96861d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94f771ab8c028c4b1f7fef745bcba121

SHA1
f9c5adfe3a7af2cf64754f6762f4190e9cd1ca68

SHA256
a942fe4e17e52b7a14d799ba4244dd6f500912ff97963fd1751ecdc2beb7ab7a

SHA512
2d349e1601c5299ad9b3af46d60cba7cec34e029aef4570e9f6ead563dd0558a87a45e9554fc3202202779d752e219c7093e1d0b15a98c41eea023adfcca689d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7aa3e996bd0482ca65ef92a621d156e2

SHA1
f554f0fca55dc6f9d185d440c8944071d638fd4f

SHA256
2e26f4c5f3106149028ff4dac9bf4a09f9ee8574f3a96b27397e9a10cc7f879d

SHA512
324c3e22723b93226b9a6b36ccf16f6ec9305fb0c75dbc2aa9741664f665fddfa0f89a7fb67838d4a8a5f822c0eefabebcc715664b663c84bdbb46bf06099f1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8dbe3ab77a48e6ccd89348995e931ec9

SHA1
31230457c169f09773379fa5664e149893d1de18

SHA256
e9da364899fb00a27a4addf343af60ce23b3b112a0ec22626582e5a767572b01

SHA512
ef0b60570e63b249fb430eaccecd75886a33ecbe622b07f10ac5de61102f16c5e3fe9c93f889359aaf24a6b9bb86c1bf591ec2b65ea950fc594dbd1aed63c0ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ce40717ec31335ce274bde29a1e2e62

SHA1
7e47fb83e39dfc23e6a3e8fa5ec6550609406ccc

SHA256
cdc72cccf95adbdd1d347e562bd78c412344d3d996755555bbd2697a89189e36

SHA512
92003349a5156364f20b3ffc2cd111981f2b40b8e029c23b986461db50d4e71ad1e8202e5dbc547d690fb0870ee17b5b4753b58ad54b6333f553ecd575fa70ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3265e02e2c925c53d06fd4739eba1f39

SHA1
ca8a8f99c1fdd2485a953878e0bcfce27de4810e

SHA256
e9557c3fa5abc4235665381c1f47c9da5b3eb77a12d1734842f47da61f44687d

SHA512
41a743abdd010277f3fc99bc18176d5ede439fc477474a4b2da3c9c53faad5ddeb87a30909cd33148bff480baf473744dfee5e5d2d8f80430da8d406fd8486b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A17D0CE1-20E7-11EF-8D12-66A5A0AB388F}.dat

Filesize
5KB

MD5
f576aae0fe33650abc38d5975b89e157

SHA1
3b9f9cfa5e4cb5bf04ba3039ecf3e8eba1694813

SHA256
41fa90475340053611fb256bbf2e200f6fa7ffe0894efc1de3e67d713a8393a8

SHA512
7e797fd792b4c183a87b1823aa9a8566182b14f0eedd51f16eed31f82acab9a7ed549582e1cfb999bc2a40dbbe873dca3d70b58ac801f9effaef72da1464e684

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2F3D.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2FB2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\compact.lnk

Filesize
1KB

MD5
05a5380e3a21d1509b9ffc3ee6714c0b

SHA1
b22dc8e7267b31405e59789d6a7b2556475245f6

SHA256
d5ec3f7f6bfd7e2e573e75a1d87bb9d762b1dba3bc2661ede389e7a6ef4a88f3

SHA512
2dede7bdcac1e4c0dcacaa33835a872edfd2b51f01bb1730498bb5268e376ebe199dabe28ff81b5d5c788c93246e96fa6be0a44836c3915ea26b8250943f773e

Download Submit
\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\compact.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
memory/836-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/836-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/836-1-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/836-0-0x0000000000160000-0x0000000000181000-memory.dmp

Filesize
132KB

Download
memory/2112-401-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-403-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-436-0x0000000004F30000-0x0000000004F32000-memory.dmp

Filesize
8KB

Download
memory/2112-397-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-391-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-395-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-383-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-419-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-422-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-399-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-425-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-405-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-922-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-923-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-407-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-409-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-412-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-18-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/2112-414-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-417-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2812-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2812-23-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download