Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 13:30
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Resource
win10v2004-20240508-en
General
-
Target
VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
-
Size
186KB
-
MD5
8ec363843a850f67ebad036bb4d18efd
-
SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02
-
SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8
-
SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684
-
SSDEEP
3072:TFFzdn1bwoWwW8BplOd4G5ts0RTy/L1yib5icNisjx3jUiXy:TFFzvwoWw3BXOdl5Ts1yw0s13jU5
Malware Config
Extracted
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.zmvirj.top/234C-9E91-36D1-029E-DB56
http://cerberhhyed5frqa.qor499.top/234C-9E91-36D1-029E-DB56
http://cerberhhyed5frqa.gkfit9.win/234C-9E91-36D1-029E-DB56
http://cerberhhyed5frqa.305iot.win/234C-9E91-36D1-029E-DB56
http://cerberhhyed5frqa.dkrti5.win/234C-9E91-36D1-029E-DB56
http://cerberhhyed5frqa.onion/234C-9E91-36D1-029E-DB56
Extracted
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16402) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
VirusShare_8ec363843a850f67ebad036bb4d18efd.exew32tm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\\w32tm.exe\"" VirusShare_8ec363843a850f67ebad036bb4d18efd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\\w32tm.exe\"" w32tm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
w32tm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation w32tm.exe -
Drops startup file 2 IoCs
Processes:
VirusShare_8ec363843a850f67ebad036bb4d18efd.exew32tm.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\w32tm.lnk VirusShare_8ec363843a850f67ebad036bb4d18efd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\w32tm.lnk w32tm.exe -
Executes dropped EXE 3 IoCs
Processes:
w32tm.exew32tm.exew32tm.exepid process 116 w32tm.exe 4316 w32tm.exe 4440 w32tm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
VirusShare_8ec363843a850f67ebad036bb4d18efd.exew32tm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\w32tm = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\\w32tm.exe\"" VirusShare_8ec363843a850f67ebad036bb4d18efd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\w32tm = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\\w32tm.exe\"" VirusShare_8ec363843a850f67ebad036bb4d18efd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\w32tm = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\\w32tm.exe\"" w32tm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\w32tm = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\\w32tm.exe\"" w32tm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
w32tm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpC7B0.bmp" w32tm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1020 taskkill.exe 5848 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
w32tm.exeVirusShare_8ec363843a850f67ebad036bb4d18efd.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\\w32tm.exe\"" w32tm.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop VirusShare_8ec363843a850f67ebad036bb4d18efd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\\w32tm.exe\"" VirusShare_8ec363843a850f67ebad036bb4d18efd.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop w32tm.exe -
Modifies registry class 1 IoCs
Processes:
w32tm.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings w32tm.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
w32tm.exepid process 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe 116 w32tm.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
VirusShare_8ec363843a850f67ebad036bb4d18efd.exew32tm.exetaskkill.exew32tm.exew32tm.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 1836 VirusShare_8ec363843a850f67ebad036bb4d18efd.exe Token: SeDebugPrivilege 116 w32tm.exe Token: SeDebugPrivilege 1020 taskkill.exe Token: SeDebugPrivilege 4316 w32tm.exe Token: SeDebugPrivilege 4440 w32tm.exe Token: 33 1104 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1104 AUDIODG.EXE Token: SeDebugPrivilege 5848 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
VirusShare_8ec363843a850f67ebad036bb4d18efd.execmd.exew32tm.exemsedge.exemsedge.exedescription pid process target process PID 1836 wrote to memory of 116 1836 VirusShare_8ec363843a850f67ebad036bb4d18efd.exe w32tm.exe PID 1836 wrote to memory of 116 1836 VirusShare_8ec363843a850f67ebad036bb4d18efd.exe w32tm.exe PID 1836 wrote to memory of 116 1836 VirusShare_8ec363843a850f67ebad036bb4d18efd.exe w32tm.exe PID 1836 wrote to memory of 4588 1836 VirusShare_8ec363843a850f67ebad036bb4d18efd.exe cmd.exe PID 1836 wrote to memory of 4588 1836 VirusShare_8ec363843a850f67ebad036bb4d18efd.exe cmd.exe PID 1836 wrote to memory of 4588 1836 VirusShare_8ec363843a850f67ebad036bb4d18efd.exe cmd.exe PID 4588 wrote to memory of 1020 4588 cmd.exe taskkill.exe PID 4588 wrote to memory of 1020 4588 cmd.exe taskkill.exe PID 4588 wrote to memory of 1020 4588 cmd.exe taskkill.exe PID 4588 wrote to memory of 3652 4588 cmd.exe PING.EXE PID 4588 wrote to memory of 3652 4588 cmd.exe PING.EXE PID 4588 wrote to memory of 3652 4588 cmd.exe PING.EXE PID 116 wrote to memory of 3064 116 w32tm.exe msedge.exe PID 116 wrote to memory of 3064 116 w32tm.exe msedge.exe PID 3064 wrote to memory of 3012 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 3012 3064 msedge.exe msedge.exe PID 116 wrote to memory of 1912 116 w32tm.exe NOTEPAD.EXE PID 116 wrote to memory of 1912 116 w32tm.exe NOTEPAD.EXE PID 116 wrote to memory of 396 116 w32tm.exe msedge.exe PID 116 wrote to memory of 396 116 w32tm.exe msedge.exe PID 396 wrote to memory of 4340 396 msedge.exe msedge.exe PID 396 wrote to memory of 4340 396 msedge.exe msedge.exe PID 116 wrote to memory of 3668 116 w32tm.exe WScript.exe PID 116 wrote to memory of 3668 116 w32tm.exe WScript.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe PID 3064 wrote to memory of 2468 3064 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\w32tm.exe"C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\w32tm.exe"2⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6da246f8,0x7ffa6da24708,0x7ffa6da247184⤵PID:3012
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,13831571723930412444,4169340230598493229,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1964 /prefetch:24⤵PID:2468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,13831571723930412444,4169340230598493229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:34⤵PID:3036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,13831571723930412444,4169340230598493229,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2576 /prefetch:84⤵PID:4620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13831571723930412444,4169340230598493229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:14⤵PID:5036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13831571723930412444,4169340230598493229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2836 /prefetch:14⤵PID:1760
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13831571723930412444,4169340230598493229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:14⤵PID:2452
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13831571723930412444,4169340230598493229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:14⤵PID:608
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13831571723930412444,4169340230598493229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:14⤵PID:4920
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,13831571723930412444,4169340230598493229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:84⤵PID:1916
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,13831571723930412444,4169340230598493229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:84⤵PID:2784
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13831571723930412444,4169340230598493229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:14⤵PID:5036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13831571723930412444,4169340230598493229,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:14⤵PID:3048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13831571723930412444,4169340230598493229,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:14⤵PID:5288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13831571723930412444,4169340230598493229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:14⤵PID:5592
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13831571723930412444,4169340230598493229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:14⤵PID:6120
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵PID:1912
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.zmvirj.top/234C-9E91-36D1-029E-DB563⤵
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6da246f8,0x7ffa6da24708,0x7ffa6da247184⤵PID:4340
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵PID:3668
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "w32tm.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\w32tm.exe" > NUL3⤵PID:5796
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "w32tm.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5848 -
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
PID:5904 -
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1020 -
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
PID:3652
-
C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\w32tm.exeC:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\w32tm.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4316
-
C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\w32tm.exeC:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\w32tm.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3120
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x504 0x5001⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD587f7abeb82600e1e640b843ad50fe0a1
SHA1045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5ca22bfcafb06f910d7dec6fba1707eca
SHA1b63ab7fa0c5f02d9d7342063dce1253612a954f7
SHA256dc70eee57480b38815208f27d75450d4eb6945b8c324546f01c40dd48fc3de84
SHA512a53a9051be1f2462078489dfeeab83c3a6bcbd71c0e72eeaabf4474ca5b3b626c77da50cc8bdb401fbcb4219bfd72e72f80cbac1a4c8510eb21837f6eba0f382
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD52c7dce70ce157befde80bee658a5a1a1
SHA1b96532a60462bbe670c9679eb91a38d20d8d980a
SHA256cae60e1f9c60364761f642dba6da5b64091ccc0a7355763d81f2bc67f63776a4
SHA5125685586d54922eea5c7f117fae5018658587bc8888f12cd7d96d1fc7be23827e54b7ea4e276ae16273b29cfc49be6ac1c1a348c4d178d269ed4e65f190c62d50
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5c034db1bc2f5d09284384ade22651fed
SHA1faa2c3c4b2641af0d1c54d6eeacf77cdd743ae81
SHA256b1b161133495e07a03f06480020db15df6b3758cc57e9c3e8377fd16fc28850f
SHA512cd43a1ca79777eb6d2cc30bfe6ca6f7359fa04dcb568cd73ebeca393f8c37e98a09c98768bc9748783aafd870cf1ec7f8545485e7a99f19e3209e4c9aee7662b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\w32tm.lnkFilesize
1KB
MD5f6a30c3411eb34d9934f371c6e4a236f
SHA14e19886247c04860423a8a067073136b6bfa8c16
SHA256c9288bcccd201deedbb0e0ba3f94f4a731c348e3e98b8a8b505c619fab28d435
SHA512a5be5c6e6e617ff3bcf7a726fdbecd9f23d77a7dad88988c04cbcfada17f0ad368c05eb7ee069bd446b90aeb97d4de7da9e65dbbf6919e84c77c1e75bab71671
-
C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\w32tm.exeFilesize
186KB
MD58ec363843a850f67ebad036bb4d18efd
SHA1ac856eb04ca1665b10bed5a1757f193ff56aca02
SHA25627233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8
SHA512800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684
-
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.htmlFilesize
12KB
MD5de16dae9da88aa944785f12c9fc02a31
SHA10c9d677ca9f99f4ad7dc6c036bddf2444c9d9c7f
SHA2560823342ee9dfe78919b7b97d0642c8193ad49a9cd61e471c336fd1e5cc0e2771
SHA512b8ad831c02cb0c86d0ee4a0f0e7fae648022f9307eb57ef5ef57d7dc893a0172c108247dd9231f8dc2cb07fb1b521ff7b8edc5886b74c659ec115d363f199526
-
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txtFilesize
10KB
MD5c9c74a11690c5932dd9d8c5378a4b0f1
SHA10b3a120e8e09b879b63908dd4bb7927b9e5a7e67
SHA25655f9e9b2f55e39fe6d13b7d15ea04b9da412d1e650855c04516ab024ccdb7416
SHA512157855e6133184bc74015d8f716b2a1a8572cf57d76a4834f89150013d4a5d71d2611e731545df85d8a0a222cc2b572e94e7dcab06fa61ed99912e87551d26c5
-
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.urlFilesize
85B
MD551a03df9a08c33fc0c2a7333bf6924b1
SHA1a23c21a9769e64a22f234cf797c254b8d6913882
SHA256f7ec4d50b245e2ad409b12b06c1a4e910c095a77f837bd3320291b7bb6f1774d
SHA51210af334f26e47aff2e18f592617c60115c714aa04dfe69ddef6b5bb28792a0ea7915a30aabe51222e67dd457bc9a0510cf29994ef09e2a534951abdeae7ec134
-
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.vbsFilesize
225B
MD5f6d629f2a4c0815f005230185bd892fe
SHA11572070cf8773883a6fd5f5d1eb51ec724bbf708
SHA256ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f
SHA512b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c
-
\??\pipe\LOCAL\crashpad_3064_ILCDYGOKAFTTJATAMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/116-372-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/116-377-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/116-40-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/116-41-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/116-465-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/116-26-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/116-27-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/116-466-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/116-341-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/116-338-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/116-350-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/116-346-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/116-384-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/116-383-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/116-380-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/116-11-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/116-375-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/116-10-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/116-369-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/116-364-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/116-361-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/116-12-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1836-13-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1836-0-0x0000000003580000-0x00000000035A1000-memory.dmpFilesize
132KB
-
memory/1836-2-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1836-1-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4316-20-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4316-21-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4440-34-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4440-33-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB