Overview

overview

10

Static

static

3

VirusShare...5b.exe

windows7-x64

10

VirusShare...5b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    02-06-2024 13:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_41dd108ada487cb93a6e099e074f605b.exe

  • Size

    382KB

  • MD5

    41dd108ada487cb93a6e099e074f605b

  • SHA1

    354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf

  • SHA256

    aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3

  • SHA512

    33adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b

  • SSDEEP

    6144:n0Ly6qr9+br6u1yvZgQHhEaBTuPwyQ9Hmdy1MsZ:nxF9FZhH+aBaPUGY1M+

Score
10/10
cerberdiscoveryevasionpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://4kqd3hmqgptupi3p.wins4n.win/6857-0654-2A6A-0078-109A | | 2. http://4kqd3hmqgptupi3p.we34re.top/6857-0654-2A6A-0078-109A | | 3. http://4kqd3hmqgptupi3p.5kti58.top/6857-0654-2A6A-0078-109A | | 4. http://4kqd3hmqgptupi3p.vmckfi.top/6857-0654-2A6A-0078-109A | | 5. http://4kqd3hmqgptupi3p.onion.to/6857-0654-2A6A-0078-109A |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://4kqd3hmqgptupi3p.wins4n.win/6857-0654-2A6A-0078-109A); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://4kqd3hmqgptupi3p.wins4n.win/6857-0654-2A6A-0078-109A appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://4kqd3hmqgptupi3p.wins4n.win/6857-0654-2A6A-0078-109A); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://4kqd3hmqgptupi3p.onion/6857-0654-2A6A-0078-109A | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://4kqd3hmqgptupi3p.wins4n.win/6857-0654-2A6A-0078-109A

http://4kqd3hmqgptupi3p.we34re.top/6857-0654-2A6A-0078-109A

http://4kqd3hmqgptupi3p.5kti58.top/6857-0654-2A6A-0078-109A

http://4kqd3hmqgptupi3p.vmckfi.top/6857-0654-2A6A-0078-109A

http://4kqd3hmqgptupi3p.onion.to/6857-0654-2A6A-0078-109A

http://4kqd3hmqgptupi3p.onion/6857-0654-2A6A-0078-109A

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber &#082;ansomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://4kqd3hmqgptupi3p.wins4n.win/6857-0654-2A6A-0078-109A" target="_blank">http://4kqd3hmqgptupi3p.wins4n.win/6857-0654-2A6A-0078-109A</a></li> <li><a href="http://4kqd3hmqgptupi3p.we34re.top/6857-0654-2A6A-0078-109A" target="_blank">http://4kqd3hmqgptupi3p.we34re.top/6857-0654-2A6A-0078-109A</a></li> <li><a href="http://4kqd3hmqgptupi3p.5kti58.top/6857-0654-2A6A-0078-109A" target="_blank">http://4kqd3hmqgptupi3p.5kti58.top/6857-0654-2A6A-0078-109A</a></li> <li><a href="http://4kqd3hmqgptupi3p.vmckfi.top/6857-0654-2A6A-0078-109A" target="_blank">http://4kqd3hmqgptupi3p.vmckfi.top/6857-0654-2A6A-0078-109A</a></li> <li><a href="http://4kqd3hmqgptupi3p.onion.to/6857-0654-2A6A-0078-109A" target="_blank">http://4kqd3hmqgptupi3p.onion.to/6857-0654-2A6A-0078-109A</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://4kqd3hmqgptupi3p.wins4n.win/6857-0654-2A6A-0078-109A" target="_blank">http://4kqd3hmqgptupi3p.wins4n.win/6857-0654-2A6A-0078-109A</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://4kqd3hmqgptupi3p.wins4n.win/6857-0654-2A6A-0078-109A" target="_blank">http://4kqd3hmqgptupi3p.wins4n.win/6857-0654-2A6A-0078-109A</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://4kqd3hmqgptupi3p.wins4n.win/6857-0654-2A6A-0078-109A" target="_blank">http://4kqd3hmqgptupi3p.wins4n.win/6857-0654-2A6A-0078-109A</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://4kqd3hmqgptupi3p.onion/6857-0654-2A6A-0078-109A</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Contacts a large (16390) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of UnmapMainImage 3 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_41dd108ada487cb93a6e099e074f605b.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_41dd108ada487cb93a6e099e074f605b.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\eventcreate.exe
      "C:\Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\eventcreate.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2444
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2444 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:696
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2444 CREDAT:406530 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2892
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:1804
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:2452
          • C:\Windows\system32\cmd.exe
            /d /c taskkill /t /f /im "eventcreate.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\eventcreate.exe" > NUL
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1676
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im "eventcreate.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1776
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:1084
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "VirusShare_41dd108ada487cb93a6e099e074f605b.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_41dd108ada487cb93a6e099e074f605b.exe" > NUL
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:812
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "VirusShare_41dd108ada487cb93a6e099e074f605b.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1276
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:1580
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {D4866ADF-6D8B-4B07-9AC1-4309C3340631} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1504
        • C:\Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\eventcreate.exe
          C:\Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\eventcreate.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          PID:1552
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2296
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2296 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2044
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
          PID:2696

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
          Filesize

          12KB

          MD5

          074ae8d5087ae6f5afa8b0f5a30712eb

          SHA1

          db98d8437ebfc0dbef18c06ab9204ddf868215f8

          SHA256

          0e7d96d0af7b6296868105f34279f53909b8c26ef229b6d2209658f157ebe357

          SHA512

          41b1ee0c2fba32cad5bd4064f93bdd8affadbcc9054e07d0cf84272ab1d1044f6c03a2e4ecc6f850d848e73206b70f608c2d42b9a3effdd5e746e270640d14f6

          Download Submit

        • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
          Filesize

          10KB

          MD5

          39e93c805f6040d56b004d6453bbc076

          SHA1

          41bf68b69e25f2fdab39959d3aa7819752f4d1a1

          SHA256

          84ee1ac8d692f7b74c6b5171750efd188695e367d24d651e3f101e7ccad0411e

          SHA512

          e7b588fbff0b3eb2234ce9a3e96c3fc1e50454215e90b712505e0c8474c3ace0af5f3384221c4505620abaaabff3c994f0d59039e9ab4f03a1022f3f7fd6c860

          Download Submit

        • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url
          Filesize

          85B

          MD5

          bc20fce745f4497b67152a1348b4b2c4

          SHA1

          2605bd148375b7cf5f691750055ad7e291ede7e0

          SHA256

          3e6acf420f948be55bee0f1cdff48fe0ea741dfea05c2adf1ade9c0a553a92e8

          SHA512

          d2b955b615628eceff8b923f4230b09b7b245897b778a877029fd5976587f193c40fcd0d7a4568cf49a121fcd42b57b95a0247e52bcae9f0dbf73c747ada695e

          Download Submit

        • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs
          Filesize

          231B

          MD5

          9d8c4bfbd009c4d6001e2125abaa8b02

          SHA1

          cd040558172b5fca5b200447a281843956243741

          SHA256

          a652297987f14317100f8c5f7eb26d1bc67eb8a64f0b39b72b5fd5046a9f29b0

          SHA512

          c4c84f43642b805a105acce9ebc9f01aa0e6ef553ea32be3f8b890fc7440f0b7d3ddf99b9336bce20ce7a3d9b9f6434a704651a8af425ffc8407ba39d5de735f

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          61a66aac59fac75c8cff4c9299399b3d

          SHA1

          b7f0e2acb737901b3860d8a7cf1623e23fcf6830

          SHA256

          4b08844e78b2f1bddc3ccc71022f96ee6ca21ad2273aea46924bc457673e5afd

          SHA512

          b7b6b699d127743cd9b415adba9f941358ad1ef5dc59d112a98d6f5ef2e14d00240ca06bba036eb20ef2d1b5895f18de0943528f92b5cb89372820101dfc86a3

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          3afb27e0f3a6d80cd013ebd2dc753010

          SHA1

          cbb183e6d4244f6fbcce317dc94e4e1f9c78cf4c

          SHA256

          a47175a34b407d1b62f68461df4705ad2cb82ab5c5d7c6639457c8758903d6a5

          SHA512

          414c78ff0a6f81256ed607544a3926375877888f2a569ec8e14db530761c3d5562526b36dd5c02f19c2938de8d4d31b02007bd930dd77045096d038b4fcd8ff0

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          3512cf3458f7acadcd49a25194e72795

          SHA1

          da022bb7fcfde3f979eddc8754a2dac653b0cdc9

          SHA256

          1412ec7c24e7e78530ac9f966a39ecddc88f87640675430e50bd1625bbdfd81b

          SHA512

          cddcacfd74d1fc17523210f1ffed2d474eaffc4e195d90b119aa82a68fc8517d7ed0d63150853a83efdcd04077de58756d302f3389b78a8b50cef306a8e4be0c

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          d024321929393fae178f9edf3fe48c3e

          SHA1

          0b9f8d721a03a61966cff4e61a5db6fef59e6efd

          SHA256

          85dc309df665c04e70d5209eccfbbbfd8e009b684ccc66507bb81b8a0b9f746f

          SHA512

          618c60f089ffe92a25a2d85bb73cf4ce433056108ae31fc9db31e29516a098f1cb64e2cbb424495c11861e5936025e630f2cb8289529b6a3c4f3592a5be9e549

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          10d54c2ecd5b9763a436ee01608707f1

          SHA1

          49f013c39b6183d0b5decdbe62d2143b28065728

          SHA256

          686e54013f015a181ba7b7860f6184044ef96e27e55a32b47a07dde0a3661bf0

          SHA512

          8de3ef1bc968f961d3d6b05ae75ffb46594601ab365656fd2239f25a21896a24103cdd0675130d33380d47da17b5609cf5fd2ffe1a76792abe6b6ab932d3be70

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          7c186b10df4ab10cf34edbc02ab16a3e

          SHA1

          eb14e3843a0b97289a872df6eeafac5ac97e35d1

          SHA256

          e67e0354f832a8f87449d40f345ccb843e1cbe63498b216a88bede5aff38da7a

          SHA512

          6f2c2c7e0061ffd507f92d1ca730adc230577aeaab7e3af03237000c33e6a3e9c8c013dc04eeaadde46167b0672cede753e066d8e0d267601fb1941d032a2f50

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          b010cb806c447e6b51ce86e103091f6c

          SHA1

          409500c9e9e86d0fcc98efb2fa686944efeb47be

          SHA256

          c21867820c69185855489aa8b755d7b6223c5f8a30005398cf0eb9919f5754ae

          SHA512

          9873677cbc9ab9a19137fba09d2b92476c64bce42b3aaaaaa4583b9e904a978732bfbda2f3f60e89fa65b2991b1757b93f29de52fe1698620bf652fd1dd28db9

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          0cc0e0e0d77a667d0136f7c804a57875

          SHA1

          1bd7e26d5f3b35425c778a632789c28adff07589

          SHA256

          b70a21041e16e4816d1682d395ad7191cc3a7fc216c29de4dd690038d09b95ff

          SHA512

          216258d993d1b52ee609206889f1ba365b3abad82013b402a4ef28767419de248dd5c1ea4961cd664b283aa3d266af4b9a77ade0546292d0b04a688443e06289

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          984bbaeadce7c10d6b228df2ffd29bd6

          SHA1

          ad4b06d3a5c995bd8c91bcae1de8af963e100c9f

          SHA256

          9593a759be21564b0f745003ea702b1de9bc24e8679cd281d06d57659b94ac29

          SHA512

          baf6ffc17d33df6c423a7a5a912cda8c3f2b2c052cc546f4511fd2056d173e0e33a964c2efe8887f8b8932a3a82a578e017684457f07cef9547ac842f8aa0322

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          fea9d147a6f9c60f1b0afda8729cb9b5

          SHA1

          7d3e77b4aef4dfac20e42e06b945fa6f0b917097

          SHA256

          0389482264d2cfc063dd41f5d403a5f3bcf19e58868f6ad7c4c4fc3169be0fba

          SHA512

          4ccd9b4c9636527b1a9898fffcf2edfd5b03cf0d2ed90f1d88a7981ebfadd200bbec3e2b1b4f0d792273493e84735ef9c28e4208f67cf6e41a01e0a86a05b438

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          53d2df7c7474a3a33e8c4883091a87b4

          SHA1

          5e7fe03aca37e0028a8a10bc0e8bd40c93600c34

          SHA256

          3d79a171eef26092986f6d47eea897376b71febf455fdb2f8e03f2ab7291dbd8

          SHA512

          717ad0372c72b25eca6711ec02fbeb1227a2f8bc8d94664d10beb2760d0590bb370920c51190d784b65810114b6ec128208ae7dbb43a7820a1049d7741211085

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          e684a980936f336be2faef2a555f0de0

          SHA1

          490c26e9b21f302e38c5c8192fe247ad22216c87

          SHA256

          c6f3d8fa0f32d9678d8403461d712baa7e105911d2bc0eafef72878ce3c6642c

          SHA512

          8b54719c2d951c2e70e734000fb1ace9cd85dc26b5355cf53cf20bd16ffc176c84013ece541f205e7b94011b07204ec9fd855007e2ebeec1e68d21a9779934f9

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          0698d02c8ff9228c8ba38c391a79d424

          SHA1

          e7af6800517f165a1cbc161de8aa855425fa4d12

          SHA256

          6a7ff9cffcc05ebae4bc358e95772f10e4b496a5255274f3b78b32ab4eaa8164

          SHA512

          d11c9e814d733f416f5b85fff26b31789f5ab474fbef381e8bbbf6549c2d89a0944f2b160f309e126209c1871ad9549da895c0d8145a9577fdd2f740a863ab6b

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          fd652800a86672f67a0ce38425ba0817

          SHA1

          5f7a7ea59ebbe8d06607e89fcd0d0283c7fc964b

          SHA256

          d5aede0db7862493ed2dd4fce5b860dee07a29744e33e10b70d5a693bba7e131

          SHA512

          283f0a3deec4320fe163ea28f8671e6e43ec694945fa4e107f9a435dd2235c18043459223b6b25fcc7d4d40a390e7edb97b0a1fb05973d6ab333bc7167aacec0

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          90eb916c672e4b5c46bb61e2c22aaa81

          SHA1

          74c210e8f41181645073a034878c262036e9effd

          SHA256

          a3fda5dc66e60c7b9696b7f275c90b79aa7d2297afd30f60bf9ab4b97dd8e08f

          SHA512

          b325f1bc8d82cb9558f8b73a8884edd72d07b6a0b8c156195ca477a1eda9f7e9c4e2929df3369e25c25b8254a02b39357998b2410fc6f890d24635de17fc670b

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          4776e197f16d3bc2026aa294e05fcda7

          SHA1

          ece8fcc65e7baac10240f4b3c5ef931cf8a69cce

          SHA256

          170ac84618a73c39525f96e8a30842bc7488c35eef09ae5d9472e7797ded685b

          SHA512

          933cd2fa67ca098afe76744f89fe9199813b1d889756b34354de43236b8c17b1aa189ee753f802a41cb1890029149d3d320b069dc75fe3ab4790bfd1c3e98c9e

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          d7b78937365b1da929ae4845794df073

          SHA1

          cc7f2cf18145c5dbbb87f2959813eae10fccc3df

          SHA256

          29e47d321a4356e39fb4db01da7f88ea4aa280a59b224e3a473b4153ec8d00a8

          SHA512

          747f4ac3ac21e5c817af84ebeb62513988f55b900a81f5e6d53df9117b60f5d0495b1157a9640e8afea3c77aad9bfea39ad5243125faa82aa9b724197d2d4bd1

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C9EEA011-20E4-11EF-99EB-F2F7F00EEB0D}.dat
          Filesize

          5KB

          MD5

          926fbd8be0e1957a85b685a5719efc69

          SHA1

          feb761a6f1694c185b17b6ee5b9f8272b567dd79

          SHA256

          e1f96d379a690ef540d90237ab740900e4d3e6e17ab722df82136862a453fe2c

          SHA512

          cc371270466c977cf7a1bf9558c47e69c5b6711e01d9f1cff857b5e134739bfef3584250871343ef9da9754af587d30ea079fecf1cd0e8cc0b1d58b040668c2e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Cab3269.tmp
          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar32FC.tmp
          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\eventcreate.lnk
          Filesize

          1KB

          MD5

          77c1664060e9f616806b58d7d8cca8ac

          SHA1

          de03b8e9949f44c7e18ba3e799b51bd1bb46965b

          SHA256

          9c89d62afc4153b6eda40e168b4e671ab49396a3d06a2519cca5ec200486755b

          SHA512

          80d401ffc8d872fbd437411e975b2e7e165461ff3642bdb0cb533ac7aa32bbb004d23a1cb5062e49d0ea37c198ef78d042c394d4da0dde4a1db2818b18de8db1

          Download Submit

        • \Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\eventcreate.exe
          Filesize

          382KB

          MD5

          41dd108ada487cb93a6e099e074f605b

          SHA1

          354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf

          SHA256

          aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3

          SHA512

          33adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b

          Download Submit

        • memory/1552-22-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/1552-21-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-470-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-463-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-441-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-439-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-455-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-457-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-481-0x00000000054A0000-0x00000000054A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2168-459-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-24-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-453-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-25-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-445-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-447-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-451-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-461-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-443-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-465-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-967-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-969-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-467-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-19-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-449-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-17-0x0000000003000000-0x0000000003001000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2168-15-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2168-14-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/3056-11-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/3056-0-0x0000000000130000-0x0000000000151000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3056-2-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/3056-1-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download