cerber | 27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

Analysis

max time kernel
140s
max time network
141s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Size

186KB
MD5

8ec363843a850f67ebad036bb4d18efd
SHA1

ac856eb04ca1665b10bed5a1757f193ff56aca02
SHA256

27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8
SHA512

800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684
SSDEEP

3072:TFFzdn1bwoWwW8BplOd4G5ts0RTy/L1yib5icNisjx3jUiXy:TFFzvwoWw3BXOdl5Ts1yw0s13jU5

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.zmvirj.top/DF55-0C2A-E28E-029E-D81C | | 2. http://cerberhhyed5frqa.qor499.top/DF55-0C2A-E28E-029E-D81C | | 3. http://cerberhhyed5frqa.gkfit9.win/DF55-0C2A-E28E-029E-D81C | | 4. http://cerberhhyed5frqa.305iot.win/DF55-0C2A-E28E-029E-D81C | | 5. http://cerberhhyed5frqa.dkrti5.win/DF55-0C2A-E28E-029E-D81C |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/DF55-0C2A-E28E-029E-D81C); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.zmvirj.top/DF55-0C2A-E28E-029E-D81C appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/DF55-0C2A-E28E-029E-D81C); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/DF55-0C2A-E28E-029E-D81C | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.zmvirj.top/DF55-0C2A-E28E-029E-D81C

http://cerberhhyed5frqa.qor499.top/DF55-0C2A-E28E-029E-D81C

http://cerberhhyed5frqa.gkfit9.win/DF55-0C2A-E28E-029E-D81C

http://cerberhhyed5frqa.305iot.win/DF55-0C2A-E28E-029E-D81C

http://cerberhhyed5frqa.dkrti5.win/DF55-0C2A-E28E-029E-D81C

http://cerberhhyed5frqa.onion/DF55-0C2A-E28E-029E-D81C

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.zmvirj.top/DF55-0C2A-E28E-029E-D81C" target="_blank">http://cerberhhyed5frqa.zmvirj.top/DF55-0C2A-E28E-029E-D81C</a></li> <li><a href="http://cerberhhyed5frqa.qor499.top/DF55-0C2A-E28E-029E-D81C" target="_blank">http://cerberhhyed5frqa.qor499.top/DF55-0C2A-E28E-029E-D81C</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/DF55-0C2A-E28E-029E-D81C" target="_blank">http://cerberhhyed5frqa.gkfit9.win/DF55-0C2A-E28E-029E-D81C</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/DF55-0C2A-E28E-029E-D81C" target="_blank">http://cerberhhyed5frqa.305iot.win/DF55-0C2A-E28E-029E-D81C</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/DF55-0C2A-E28E-029E-D81C" target="_blank">http://cerberhhyed5frqa.dkrti5.win/DF55-0C2A-E28E-029E-D81C</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/DF55-0C2A-E28E-029E-D81C" target="_blank">http://cerberhhyed5frqa.zmvirj.top/DF55-0C2A-E28E-029E-D81C</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.zmvirj.top/DF55-0C2A-E28E-029E-D81C" target="_blank">http://cerberhhyed5frqa.zmvirj.top/DF55-0C2A-E28E-029E-D81C</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/DF55-0C2A-E28E-029E-D81C" target="_blank">http://cerberhhyed5frqa.zmvirj.top/DF55-0C2A-E28E-029E-D81C</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/DF55-0C2A-E28E-029E-D81C in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16390) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\certreq.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\certreq.exe\""	certreq.exe

Deletes itself 1 IoCs

pid	Process
2304	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\certreq.lnk	certreq.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\certreq.lnk	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe

Executes dropped EXE 2 IoCs

pid	Process
1740	certreq.exe
2960	certreq.exe

Loads dropped DLL 2 IoCs

pid	Process
2116	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
1740	certreq.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\certreq = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\certreq.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\certreq = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\certreq.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\certreq = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\certreq.exe\""	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\certreq = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\certreq.exe\""	certreq.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	certreq.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp47BA.bmp"	certreq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2840	taskkill.exe
3032	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\certreq.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\certreq.exe\""	certreq.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DB982F51-235C-11EF-AA6D-D62CE60191A1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000c705b6628b12c7dba07bbb641a063032a82367ddc08fad59d2360b807be3905f000000000e80000000020000200000008c8db42ef8f2e925c575b176633e9ac6e91adfd70e33828c6256d163764cd2b1900000007d8f095e830677ca35e67fef67fd0472abd51306dcfd2e20d715cb6f46d7c932779c9678c40718c50a4e506c3fb25c44a63f793bb83b9c1c592435cb7b0634d9c998709272d8bdc367c89573cc49b50b7b1c4d1effc3d123670df3f54f7f6fdb2b861a7655259d1c7d339193f9d1397a1528d1c5bca3cb85c9dc97226b24e384af7a6b225633d2e862916bf86898278340000000d50c02802107c4dd9ed89b237b1184a54100b35aa1fd8ead4d51d0517b808155307159aeff5282d974939b2ee3bec0087342266899f3f7ac92b265205f9b9693	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 805f7a9e69b7da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423768587"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DB89E711-235C-11EF-AA6D-D62CE60191A1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000b4b203b40cc3d85e024f6b49d9c423d0bb55cd0f5fa41ce6f7a7fe553c152e9b000000000e800000000200002000000029c97be386f70781073863f3110df7eb2705b751bd669151e93c53045002e20720000000c38682f1fe305bd960e61644867bc05cf0c1dda09e014551cb1b29b399e3c7e040000000c325122027fe76feb538e40258f0421635e4793bb99552e91f80b774148d4f3c7a72a7b1f4cb787a78ade5ac9f1b306ff5d6c556b6d3bfd4fdae72203286bd61	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2620	PING.EXE
1764	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe
1740	certreq.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Token: SeDebugPrivilege	1740	certreq.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	2960	certreq.exe
Token: SeDebugPrivilege	3032	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1832	iexplore.exe
1832	iexplore.exe
1588	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1832	iexplore.exe
1832	iexplore.exe
1832	iexplore.exe
1832	iexplore.exe
1736	IEXPLORE.EXE
1736	IEXPLORE.EXE
1588	iexplore.exe
1588	iexplore.exe
2412	IEXPLORE.EXE
2412	IEXPLORE.EXE
2380	IEXPLORE.EXE
2380	IEXPLORE.EXE
2412	IEXPLORE.EXE
2412	IEXPLORE.EXE

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
2116	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
1740	certreq.exe
2960	certreq.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1740	2116	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2116 wrote to memory of 1740	2116	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2116 wrote to memory of 1740	2116	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2116 wrote to memory of 1740	2116	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2116 wrote to memory of 2304	2116	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2116 wrote to memory of 2304	2116	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2116 wrote to memory of 2304	2116	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2116 wrote to memory of 2304	2116	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2304 wrote to memory of 2840	2304	cmd.exe	31
PID 2304 wrote to memory of 2840	2304	cmd.exe	31
PID 2304 wrote to memory of 2840	2304	cmd.exe	31
PID 2304 wrote to memory of 2840	2304	cmd.exe	31
PID 2304 wrote to memory of 2620	2304	cmd.exe	33
PID 2304 wrote to memory of 2620	2304	cmd.exe	33
PID 2304 wrote to memory of 2620	2304	cmd.exe	33
PID 2304 wrote to memory of 2620	2304	cmd.exe	33
PID 2860 wrote to memory of 2960	2860	taskeng.exe	36
PID 2860 wrote to memory of 2960	2860	taskeng.exe	36
PID 2860 wrote to memory of 2960	2860	taskeng.exe	36
PID 2860 wrote to memory of 2960	2860	taskeng.exe	36
PID 1740 wrote to memory of 1832	1740	certreq.exe	40
PID 1740 wrote to memory of 1832	1740	certreq.exe	40
PID 1740 wrote to memory of 1832	1740	certreq.exe	40
PID 1740 wrote to memory of 1832	1740	certreq.exe	40
PID 1740 wrote to memory of 1760	1740	certreq.exe	41
PID 1740 wrote to memory of 1760	1740	certreq.exe	41
PID 1740 wrote to memory of 1760	1740	certreq.exe	41
PID 1740 wrote to memory of 1760	1740	certreq.exe	41
PID 1832 wrote to memory of 1736	1832	iexplore.exe	42
PID 1832 wrote to memory of 1736	1832	iexplore.exe	42
PID 1832 wrote to memory of 1736	1832	iexplore.exe	42
PID 1832 wrote to memory of 1736	1832	iexplore.exe	42
PID 1588 wrote to memory of 2380	1588	iexplore.exe	44
PID 1588 wrote to memory of 2380	1588	iexplore.exe	44
PID 1588 wrote to memory of 2380	1588	iexplore.exe	44
PID 1588 wrote to memory of 2380	1588	iexplore.exe	44
PID 1832 wrote to memory of 2412	1832	iexplore.exe	45
PID 1832 wrote to memory of 2412	1832	iexplore.exe	45
PID 1832 wrote to memory of 2412	1832	iexplore.exe	45
PID 1832 wrote to memory of 2412	1832	iexplore.exe	45
PID 1740 wrote to memory of 1996	1740	certreq.exe	46
PID 1740 wrote to memory of 1996	1740	certreq.exe	46
PID 1740 wrote to memory of 1996	1740	certreq.exe	46
PID 1740 wrote to memory of 1996	1740	certreq.exe	46
PID 1740 wrote to memory of 2392	1740	certreq.exe	49
PID 1740 wrote to memory of 2392	1740	certreq.exe	49
PID 1740 wrote to memory of 2392	1740	certreq.exe	49
PID 1740 wrote to memory of 2392	1740	certreq.exe	49
PID 2392 wrote to memory of 3032	2392	cmd.exe	51
PID 2392 wrote to memory of 3032	2392	cmd.exe	51
PID 2392 wrote to memory of 3032	2392	cmd.exe	51
PID 2392 wrote to memory of 1764	2392	cmd.exe	52
PID 2392 wrote to memory of 1764	2392	cmd.exe	52
PID 2392 wrote to memory of 1764	2392	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\certreq.exe
  "C:\Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\certreq.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1832 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1736
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1832 CREDAT:865281 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2412
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:1760
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:1996
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "certreq.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\certreq.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "certreq.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3032
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1764
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2620

C:\Windows\system32\taskeng.exe
taskeng.exe {C99F4B63-85EC-4454-B4DF-D0183C65F745} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\certreq.exe
  C:\Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\certreq.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:2960

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1588 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2380

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
a598d40a6b48f7fb4c87e052b8025f58

SHA1
bfb6ba02f274deab155bb53a3adb70bcd78ad1a0

SHA256
76adcb3607500a44ec6ff6839643cfe2559a03799b7be8b22e6d957378b86dfb

SHA512
31a89fd87bc9669b03c19f6f9985bc9367e0b2ce0e924666a108403d87b9c09d709579c3d286fd56405cd2134c041db903d35ad4b99cd8bd7f60139ae29a9895

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
5431e5f1d74f8091ce0b08c2e41f50e3

SHA1
9f708681804baed14d33b87a314957a2a05c9b4a

SHA256
fd99f70a26d886fd448cc5ae2c568c8e887a523c428b364bf2b8c0263f93e34b

SHA512
26d0758d9b3a417872727280908c6ee49be867da82230e3a9c1201d85e3e6b40e74324d373135dfb55d51247b96e426448aaee441392a6d1ed562bf749fc2bf5

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
85B

MD5
39e5e9fc3fae709ba2bcfb7064113659

SHA1
7c7f831a9cf096f18899c4d669bf8508b25db1b9

SHA256
3148e9f63d52b05fb81d24eb7f7df5eaa02d36d291cec7a706c336aa54cba1e2

SHA512
5d9da7591d8037840a1b0ea8e9fa5edfa15e089404fb56c2e595650835bf98c6c68618c113b17e7b15b402012e1f872b8b2799bb37632432eedf3d7bcdbccafd

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
225B

MD5
f6d629f2a4c0815f005230185bd892fe

SHA1
1572070cf8773883a6fd5f5d1eb51ec724bbf708

SHA256
ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f

SHA512
b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ec9aeb6ad1305804987fc661625214d

SHA1
98a73950deabfa9bf6d068005a4784fc4e7ca796

SHA256
811cc5cd45ab9dbc30f7a0358fa71be8350301b779d7d60bd5e17fd88594f8c3

SHA512
d70944097f6eaad28a90b11797b799a3001428cd4f79053c78224155a7a76c70a54e49f22e84538577d8c8507c685607df8c727d76df20d74a7708b282189b39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f088509cd8164d76e20e3321f481a62a

SHA1
92bea7b1e968851150370b9ea26a2f3da3434619

SHA256
cee8d77f13f8daba1c828c621442972783a37401a428fcb2c269a50d359c95c0

SHA512
c4f99c5c5f2fc1d9dcd6ed3af686a4aa09a314356af33c12fbdf51378b61598b6090054784d855e04a5a41da0e8e70977ca9a16ae0f44804bd54993c91053fb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14fbed77f22f934fc9d8dd6edfc1e9e0

SHA1
ba658c4e979634c1a7321500e064828641d2f941

SHA256
978d726c0a7adbf51d0ac8fae3d3ddcea625e997b797e74a9cab069548634e6f

SHA512
b182ace057300ec9428f7e40431783cac5a0148979457f0bb847ff5f480b23e99da18556c79b310c250966e85ccbbc4cbf42eb22e30520ed9b0b0df5b66e058d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
408d6a075689cbe29358a43802b4bde0

SHA1
58a35fa0e17dce503bc70296871b93cbfde55da6

SHA256
64f4e5117cda7cc1b5d740114d1168a1707d0b03e9a2b4351915fa73f3c99332

SHA512
1bf335e0bec1b99813a33802412ddcb0f247c6de1a1542e62c6cda448e8b70148db8314a45b88fc0cc774f457067b623e27941c723116d309e6f4fb340fb783b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85724b678b3d90684b221569e6b159c4

SHA1
93cb1ee96aaab5a1f0121f3475c0d1f1e3857024

SHA256
db01537fb5bcee3036082eb889cc428eba924da21d00484f175f66270d959bc4

SHA512
f88380d5273448fbeb3ff39cc69586a0598bcc346d7a5e2c81a9fed1f6a1160d5968eef7f4c92a5780649924d54b15d9084f38dfb57ac2af970d9fa6f9e16428

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4b73e86e2b0ff6646c2cafa54e43d24

SHA1
2557bf1fb426a7565672dfc0d8ae11cd201aefe6

SHA256
06acf59f7903e587ea7595d92833276c96460969e0a50163eb7acd2302c3e6f8

SHA512
949b753dab3ee0b411671a38b8203d75f3108bac044064ddb486c593762a9d7d75759acbc28b6d0356ea1a62ff1e2e7f3b6f3f2dd234b6f83e6eb4a9b0f7bd16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afa960964633f3a6f123faa74ccde8cd

SHA1
e2382afdac1a4da766fc62002bb17cf84250016f

SHA256
2eabe1ac74f9f74ce23ea718885e8b043d7824f8f7ff2f56147c5bfbe3a2f3c4

SHA512
2310a9a20b22d8a2d56e7976bb902c4ad4d3039acfa54c7b47bf189da928c038568629e2e3c0fa6bf1af8a3091e17e1d23fb7987ed088e812835d7e1aa7bb1d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84da94e2a8a19ff5cb7ab95347724e33

SHA1
10870d96bef9031dc55723d71ec571277166294b

SHA256
47b65f6182c66767ed8544522cedd37c019b0da476b3bb74446e83ef98d53d74

SHA512
d5406d048a670b4eb5aceec312e1486ea9368bf82250e5c92c24eb1fc94d970461d8a679aa947ac2ee1be372e1cb683a7ff8148fdcaadc14d0df1cd6e4606a27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a102c7518fab4dacf4a3573096a28b2f

SHA1
9a88cb1a76ee9628ead7900b4d6457eab2c81cfd

SHA256
b8224587535efe8fbee76798eb04177b99fabbb5d4a5ee18612e39d2caa73a89

SHA512
23311cc7c250fa8666be7763993cccaa321eef26692ecd905b47ac2638c935d1ee6d852360e12537ec3451d25afc07576c47a846a15510d5ab750116eb418a33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03aad6fd9d72ac169097afb60813771f

SHA1
0939a55525c2e4cec6b4361d2d45e5263de34f1e

SHA256
8eea1bbc45ba787e18afd3ca3eeb4a2db95cb44df0debc7ad704a07163f4e37e

SHA512
aa13b5ca63a941a59b4106c4b98eb85436087c48e17f40beceec122292f96d15596b89bc9ac7b3a4da354fe2c254c5a83f133c912cba10e719add4936b7c5b95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0808676090b6d40d25aea1348ed47bce

SHA1
2263087bd9b33865097c6a75428699d5ef8f5b22

SHA256
22a3f601f52f5dd43579595ba3ef51cf1eb30cc32570fc547e773e797b659e85

SHA512
7000c33065579455437711f37d769c0482785565678a86aadebc5e3638ab829b8fa77d134cd3400a783df7aa5fc59c5d9e9888781c305bae0058af0c340295d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3e6d008eb439da51d837dd73cc98019

SHA1
d33c8d23d19868fc586abb304bd1995f389e8850

SHA256
c4369dc6e457e67cf7f6a602991a0a7e9b1427e1854bcb6c8e042cd157cfd852

SHA512
801215e774dd9232acdcad6331d2d967d0e83edd9d0960b63c70c395dba861b962dd4f988f95b4f9dd04d945feb61690fc3d84910ecac7ce81014b6c38691cf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff80b5ec731d91dfc0c297e7274b8b16

SHA1
ff0bdf5fe11aab51c78068db2089f7561930e0ac

SHA256
d5fb3b857469fcc2d15bec415d1d9d79f243ec0a778df8003190a727d1ee0e19

SHA512
b435819570e94483452b440f157d5ee94a583b1410595f07df9705118af074b639f1648e95de7d8285e8becee1ec24f48e6cc089e2d7137c4b124e1af187097a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eebdd34a4e506bbf7406a29d55442270

SHA1
93eb66cdf714f9c21cd4198a0aadd2f1b687c369

SHA256
388e26debce71c7afca7e0ecaf3487bb1be0e8f7fbf8afe603b398f156b60982

SHA512
55415049195734c4725eb5b5c76d8406ff08f4048eb2c99b1c8ee72870d0122c3a8ed137b64b7d8d245e8481b77633b3e848b9032a7c8d9f37f25e6b4543fe07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
881aa72752fbe305b689471b35afba82

SHA1
360dfc13567c5ff72454db6bec8a0bd152a7fd6b

SHA256
c36dee0682af217d0b798e8158cf9d27b68921f17207363ee23c49cac8e14372

SHA512
c4180b38c4e45e205841c594b2349dc783002b48bbc4db168b12ed29410cbf00b063c73207d9e390a1f8afc41a474429e2e9626523d9200aab8237ac041f2bab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1099461194ef4eb0197332ea5fa0eb5e

SHA1
8973f5f536694ac365144471b658f667da6620bf

SHA256
e92641741258be9010e0651319ed3d67fb0cafcccff57b88690ecdd0ad612937

SHA512
998c3337330dca844cbd211e30ee6cbe9701aeb7f98accfc31b0bf196c27800657f1f0d940d0420eaa5cc7da66070681c1ee961bed52cd2dddcdf3ef14911980

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c09e505114b478724d79cdded95cb9d9

SHA1
cbd2b3686cc1ca625c20e3089ca8c338e559d3b0

SHA256
335ca131956783b2ebda6ea0fef2e36aeab090114d340144e40cac34c7b847d5

SHA512
e23d4d7527cc9f922a6af7df4f32a6bd3859cda73aa0b914fab9a26bfda5476fc482fc569eb23a9e7561ce62a952f506dcb82b0a24ab25461f72558d1e056da4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
295bd39da215c3f3424a772535a5f5a5

SHA1
d32d0592fc54654e4fe453a99f190e040ddd3ffc

SHA256
2cbc077623e0d07d2b125004bcf2127bb30d5eb0b7e5839ee4a0c5be775da545

SHA512
b8391697754a161e6e5c24ae7073f3b4f065d81993cc01b759073c1fb2327eb0a493adac9a517620f1099556a8d8630edca52c0282df61a4b1a0157fbd6edf41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DB89E711-235C-11EF-AA6D-D62CE60191A1}.dat

Filesize
5KB

MD5
2d7b407dfa0674a919d59154129f621a

SHA1
f4b940db3b1414ddcf0d311cad5f088d197ebbbd

SHA256
7108588c4c9c9df46cb5b48913a6111189cb3e445c2932908175ad636c6ee07a

SHA512
d05defad74a700ce3dd0a7c553b5d3a5f4cb7b9f04d7ddbd90c837af4274ca66f48c05d319488027f25ce04d62b99d1c11b995d1d5f59b1a70eaed1e5832c908

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5EF3.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5FF5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\certreq.lnk

Filesize
1KB

MD5
2ed51e4598fe5c82310d81e5d8984d12

SHA1
91ac3a18f1f1dcdc73bc570ce8cddbb7d85b4199

SHA256
14570f15dd14a662534e10467705a6ab92f87890ad3690e55a61975cfffa8b70

SHA512
53810b89e2f3a714c1ddbc1404f6a97160d6858be3df73ee59de3da6ff3d88b28ac9e3f29d9e4e031f8dd0f944465a38b52e6fd6be2dada124969a944fb933f1

Download Submit
\Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\certreq.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
memory/1740-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-453-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-438-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-483-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-481-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-480-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-444-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-493-0x0000000003900000-0x0000000003902000-memory.dmp

Filesize
8KB

Download
memory/1740-447-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-450-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-468-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-474-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-465-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-441-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-456-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-471-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-459-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-982-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-983-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-462-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-18-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/2116-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2116-0-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2116-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2116-1-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2960-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2960-23-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download