cerber | 27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

Analysis

max time kernel
125s
max time network
127s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07-06-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Size

186KB
MD5

8ec363843a850f67ebad036bb4d18efd
SHA1

ac856eb04ca1665b10bed5a1757f193ff56aca02
SHA256

27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8
SHA512

800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684
SSDEEP

3072:TFFzdn1bwoWwW8BplOd4G5ts0RTy/L1yib5icNisjx3jUiXy:TFFzvwoWw3BXOdl5Ts1yw0s13jU5

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.zmvirj.top/CB0A-1407-1C9A-029E-DA9F | | 2. http://cerberhhyed5frqa.qor499.top/CB0A-1407-1C9A-029E-DA9F | | 3. http://cerberhhyed5frqa.gkfit9.win/CB0A-1407-1C9A-029E-DA9F | | 4. http://cerberhhyed5frqa.305iot.win/CB0A-1407-1C9A-029E-DA9F | | 5. http://cerberhhyed5frqa.dkrti5.win/CB0A-1407-1C9A-029E-DA9F |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/CB0A-1407-1C9A-029E-DA9F); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.zmvirj.top/CB0A-1407-1C9A-029E-DA9F appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/CB0A-1407-1C9A-029E-DA9F); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/CB0A-1407-1C9A-029E-DA9F | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.zmvirj.top/CB0A-1407-1C9A-029E-DA9F

http://cerberhhyed5frqa.qor499.top/CB0A-1407-1C9A-029E-DA9F

http://cerberhhyed5frqa.gkfit9.win/CB0A-1407-1C9A-029E-DA9F

http://cerberhhyed5frqa.305iot.win/CB0A-1407-1C9A-029E-DA9F

http://cerberhhyed5frqa.dkrti5.win/CB0A-1407-1C9A-029E-DA9F

http://cerberhhyed5frqa.onion/CB0A-1407-1C9A-029E-DA9F

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.zmvirj.top/CB0A-1407-1C9A-029E-DA9F" target="_blank">http://cerberhhyed5frqa.zmvirj.top/CB0A-1407-1C9A-029E-DA9F</a></li> <li><a href="http://cerberhhyed5frqa.qor499.top/CB0A-1407-1C9A-029E-DA9F" target="_blank">http://cerberhhyed5frqa.qor499.top/CB0A-1407-1C9A-029E-DA9F</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/CB0A-1407-1C9A-029E-DA9F" target="_blank">http://cerberhhyed5frqa.gkfit9.win/CB0A-1407-1C9A-029E-DA9F</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/CB0A-1407-1C9A-029E-DA9F" target="_blank">http://cerberhhyed5frqa.305iot.win/CB0A-1407-1C9A-029E-DA9F</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/CB0A-1407-1C9A-029E-DA9F" target="_blank">http://cerberhhyed5frqa.dkrti5.win/CB0A-1407-1C9A-029E-DA9F</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/CB0A-1407-1C9A-029E-DA9F" target="_blank">http://cerberhhyed5frqa.zmvirj.top/CB0A-1407-1C9A-029E-DA9F</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.zmvirj.top/CB0A-1407-1C9A-029E-DA9F" target="_blank">http://cerberhhyed5frqa.zmvirj.top/CB0A-1407-1C9A-029E-DA9F</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/CB0A-1407-1C9A-029E-DA9F" target="_blank">http://cerberhhyed5frqa.zmvirj.top/CB0A-1407-1C9A-029E-DA9F</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/CB0A-1407-1C9A-029E-DA9F in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16389) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\fsutil.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\fsutil.exe\""	fsutil.exe

Deletes itself 1 IoCs

pid	Process
2592	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\fsutil.lnk	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\fsutil.lnk	fsutil.exe

Executes dropped EXE 2 IoCs

pid	Process
2540	fsutil.exe
1684	fsutil.exe

Loads dropped DLL 2 IoCs

pid	Process
2932	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
2540	fsutil.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fsutil = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\fsutil.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\fsutil = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\fsutil.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fsutil = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\fsutil.exe\""	fsutil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\fsutil = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\fsutil.exe\""	fsutil.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fsutil.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpF518.bmp"	fsutil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2532	taskkill.exe
2360	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\fsutil.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop	fsutil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\fsutil.exe\""	fsutil.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000367c866a1206bc4295f238b310e7897300000000020000000000106600000001000020000000195587ec898d9d273c4e963d96d4ab19ba5a3e5f4cdc187a6769e9b342f3c56f000000000e8000000002000020000000c3f8443f11d7f883c6a09ee404a44626055d5f19dd3062e832c02827aaff2d8120000000a120f21ff44f06f6e715ecf6efb5248f888b7d3725775a8ab3524885f5cf32d740000000d8bc6b3c351e363df093ffeb593309f2089cb81336d5ae6932eb42a015514eb5c040124cbcba8f67b5064ef90be37eaefc9c3e9dde7e1430f204d3a303f62af0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423940483"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{15800FD1-24ED-11EF-82B1-CE167E742B8D} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{15768A51-24ED-11EF-82B1-CE167E742B8D} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000367c866a1206bc4295f238b310e7897300000000020000000000106600000001000020000000c40bbe0515f2c0e709f90a279a9149d0cbd64bd90d6e6007e59abdb28a13c585000000000e80000000020000200000008322e2cf9fff38356b782f4ac336ca601690180865997388a4e864b018682cbb90000000af3ac5eedabc2e51d7ca6db93fd15e62350419eea02f427b18a40c3999c8ab8e967ce46bc857360b86501e72e50c6471840c4437e412e06836525983009e3e083732f5b80580699b31af05c5af5c3cd8d96df1cfcd6f9610920ce84e42e78723a37f2d3337f64c5140f2b00ada69e8789890418de7230aa3ce7f8490fe8ae3df1ddaa2a770af397c2dd51531992fbb634000000062d5879a014ef41cdbab8f215b5d6a8f6a705a4209c25cfc9296dbf545336510739fad2849b92cb957841450c67026cf6afef6e9832d89a1b879f57bff4e28d3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c02323d8f9b8da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2456	PING.EXE
2008	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe
2540	fsutil.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Token: SeDebugPrivilege	2540	fsutil.exe
Token: SeDebugPrivilege	2532	taskkill.exe
Token: SeDebugPrivilege	1684	fsutil.exe
Token: SeDebugPrivilege	2360	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2100	iexplore.exe
2100	iexplore.exe
2268	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2100	iexplore.exe
2100	iexplore.exe
2100	iexplore.exe
2100	iexplore.exe
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE
2268	iexplore.exe
2268	iexplore.exe
1312	IEXPLORE.EXE
1312	IEXPLORE.EXE
2264	IEXPLORE.EXE
2264	IEXPLORE.EXE
1312	IEXPLORE.EXE
1312	IEXPLORE.EXE

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
2932	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
2540	fsutil.exe
1684	fsutil.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2540	2932	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2932 wrote to memory of 2540	2932	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2932 wrote to memory of 2540	2932	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2932 wrote to memory of 2540	2932	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2932 wrote to memory of 2592	2932	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2932 wrote to memory of 2592	2932	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2932 wrote to memory of 2592	2932	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2932 wrote to memory of 2592	2932	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2592 wrote to memory of 2532	2592	cmd.exe	31
PID 2592 wrote to memory of 2532	2592	cmd.exe	31
PID 2592 wrote to memory of 2532	2592	cmd.exe	31
PID 2592 wrote to memory of 2532	2592	cmd.exe	31
PID 2592 wrote to memory of 2456	2592	cmd.exe	33
PID 2592 wrote to memory of 2456	2592	cmd.exe	33
PID 2592 wrote to memory of 2456	2592	cmd.exe	33
PID 2592 wrote to memory of 2456	2592	cmd.exe	33
PID 2652 wrote to memory of 1684	2652	taskeng.exe	36
PID 2652 wrote to memory of 1684	2652	taskeng.exe	36
PID 2652 wrote to memory of 1684	2652	taskeng.exe	36
PID 2652 wrote to memory of 1684	2652	taskeng.exe	36
PID 2540 wrote to memory of 2100	2540	fsutil.exe	39
PID 2540 wrote to memory of 2100	2540	fsutil.exe	39
PID 2540 wrote to memory of 2100	2540	fsutil.exe	39
PID 2540 wrote to memory of 2100	2540	fsutil.exe	39
PID 2540 wrote to memory of 3048	2540	fsutil.exe	40
PID 2540 wrote to memory of 3048	2540	fsutil.exe	40
PID 2540 wrote to memory of 3048	2540	fsutil.exe	40
PID 2540 wrote to memory of 3048	2540	fsutil.exe	40
PID 2100 wrote to memory of 1672	2100	iexplore.exe	41
PID 2100 wrote to memory of 1672	2100	iexplore.exe	41
PID 2100 wrote to memory of 1672	2100	iexplore.exe	41
PID 2100 wrote to memory of 1672	2100	iexplore.exe	41
PID 2100 wrote to memory of 1312	2100	iexplore.exe	43
PID 2100 wrote to memory of 1312	2100	iexplore.exe	43
PID 2100 wrote to memory of 1312	2100	iexplore.exe	43
PID 2100 wrote to memory of 1312	2100	iexplore.exe	43
PID 2268 wrote to memory of 2264	2268	iexplore.exe	44
PID 2268 wrote to memory of 2264	2268	iexplore.exe	44
PID 2268 wrote to memory of 2264	2268	iexplore.exe	44
PID 2268 wrote to memory of 2264	2268	iexplore.exe	44
PID 2540 wrote to memory of 1548	2540	fsutil.exe	45
PID 2540 wrote to memory of 1548	2540	fsutil.exe	45
PID 2540 wrote to memory of 1548	2540	fsutil.exe	45
PID 2540 wrote to memory of 1548	2540	fsutil.exe	45
PID 2540 wrote to memory of 2384	2540	fsutil.exe	48
PID 2540 wrote to memory of 2384	2540	fsutil.exe	48
PID 2540 wrote to memory of 2384	2540	fsutil.exe	48
PID 2540 wrote to memory of 2384	2540	fsutil.exe	48
PID 2384 wrote to memory of 2360	2384	cmd.exe	50
PID 2384 wrote to memory of 2360	2384	cmd.exe	50
PID 2384 wrote to memory of 2360	2384	cmd.exe	50
PID 2384 wrote to memory of 2008	2384	cmd.exe	51
PID 2384 wrote to memory of 2008	2384	cmd.exe	51
PID 2384 wrote to memory of 2008	2384	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\fsutil.exe
  "C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\fsutil.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1672
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:537601 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1312
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:3048
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:1548
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "fsutil.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\fsutil.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "fsutil.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2360
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2008
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2456

C:\Windows\system32\taskeng.exe
taskeng.exe {566E0727-9A7E-4AD0-A6A3-B8C77A4C3071} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\fsutil.exe
  C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\fsutil.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:1684

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2268 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2264

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
c0d0714166e3fa28d79585821798a032

SHA1
1c92efff5b7025d6dd56c07dfd74999d91194ea2

SHA256
a3810e005712962fadde630750d53916980c76051b09852dc46fdb8af8caa890

SHA512
bfe3fdc7e18a2494e071ccdd515904b77612683c783b81267bab280721c9bf7ec059771001ea2ae18efd1d8152121d30af38e082fb3a1637cc81462a2aa3da07

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
1337d3cb047a1d70b553b4c70d4b7c81

SHA1
2ad9bef0aceb8e24393e6709b094acec47a53f7c

SHA256
895e9a85178af1ab42da9a550106d0f39add19baa9364f50745f4a8f9d922c31

SHA512
c15d991a94201c25d885a14de777f9990ebc2b31e8e339611f4922bda6f98afb720e22b7176f67827f5fd77920e34bc7667e0e3d19fef4bf641a86d4fd0c200d

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
85B

MD5
d39bedaf893d76a224f5b0f743701d92

SHA1
1e8b72579722d6c1d43ac2143cd44e917fdffb8d

SHA256
d9cc9a0b4e8ac752c7b0ed5ba729c445d952ca467351e0d8fe3ed419b9bcff33

SHA512
0c28373abc3d7a32bb0dcec9bb7764f7a8fd31e67650425c97a63349dcba8fa1a283d24e6a4f6d532581c5d86ded912fc0cbba689dc1fb7be5856414345a5b0c

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
225B

MD5
f6d629f2a4c0815f005230185bd892fe

SHA1
1572070cf8773883a6fd5f5d1eb51ec724bbf708

SHA256
ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f

SHA512
b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19b0f1718ef297c436e262bd2c379012

SHA1
e6b34969e957696088397e2822c7998a06f87856

SHA256
1112b6032b76cda366fc65f13326d98b591a722d4a47ce67481e3d300eda8c51

SHA512
89c49a49e01a47a482a2c8bdb8191bfe078aee1308da0585e7a7d8a61852000b53ba4013001cee5edae5e5bc36721ad48b535a0a15c992e76ff758f5dc78b9ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d837b1682a5f5cc2ea11864241c8d16

SHA1
51472dc9da2e3ef1b5a2f38b96f3cc45fd40132e

SHA256
231dfea023f94f5dea732ce87df94c3f70dcc1a121b85b7e8459c1cc86aea8de

SHA512
0ef977cd88b8e680afbdb351217f297f032cdfdd2476b359942fac42d7e7365e1629ba27d912ff0df077f91492d00b61a2fdc64eb18921d3397bbc7a351e15ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
630d770a170cc359ed61d2c48a74b7f7

SHA1
548201dec5308fdb6f96ba79f74cdf6e4ca20d24

SHA256
59f267a92bd6c7e9cab12b7f0291174b852732d90e22534e44de9c8c640ccdbd

SHA512
bd09ee7912640ce25aaf3fb070aa0be8664767fc4a29c6fbad0a7fe56551dea677ad25e93880a9b6b433f08626aa3821633b90a8817fd9ed91925f0820524bd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86a4b1bddfe8ed1c87fe65f498c1db30

SHA1
847a07df0523f7096405ac64b45a98bf0941f457

SHA256
3c9fe2a8391ca66d212fd61fa29b0692c5e3c2a5e1202da32bea44a468e8486d

SHA512
9382ac041d28710e8fbca4c019da8e8b656a1d354545ed89e106b0caa6d544d53c393825c8bedd46d3f213c08fff400a9a93d96fd25dd3546b628bc7fd539e08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f947224ac5761611bdf8c7ed900f1f6

SHA1
3d7ade72b57a842d644433612c89b18599b742e8

SHA256
6c1981e8bf7a12d8834d7936efe622d78211fbc1c860676773564c176d81c67f

SHA512
fa59c6153a18ef6f95de829cb7667b53c24b6b14786978a7111b59045558e207e3b6c0558a90278503bc532a2f7cbe70f64564a00d800bf019f91c042a59719d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
946a646caf6af1a7134968410110a6ef

SHA1
0f1932728adfb31a5794fc17c17fa699080564ea

SHA256
882aa900d6bc4917ddfcf1f647575cd552a4cf1096e54a29869758dc087415f4

SHA512
7190adda3b84246ebd4e39618c22eb3f2262310a220c97b469621ed1d62d1f0192fa30a0459fbef899061ca637ed2587527944d3e74f9a872ebb326f5cfc8da9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c4096a9a74ffb8c9173ac6e6cd0100d

SHA1
97c21aa85cc89c0459ed83010e58a74ca9bff9e1

SHA256
4c7f431c5d17310f1c80d470897221721ac6026e74a35bd4786dc0e0eda10192

SHA512
d75b569d22b5f8fa0db3757dfa65e8f31561df9c88215c6a1fcea45a81e60119e0e58e9e7af7fbd6e76530760eec401bc602791fa33f0992f99edfdf481a981d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19c8d3c8480766dda75b11d856cbcc41

SHA1
1f9cf25f1b471ea142e9ae2ae0a56ccd27997a34

SHA256
0398f44d3133d03cb3e1d390bd7ea4b7bca8dd26818208bcfd943243c0f0ec87

SHA512
ea6660ddd83088b5022529e64039329cd0909fa343c293fe0decdbe6ee45f6da15429dde04e9cf8cd3840c24944d8041f8c4a009ae62c1aa72e678686b39772f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d54466d9feee172124cc6e9801f70ec

SHA1
d89b355b6942c9e6963d732470835d9f47a298fd

SHA256
6fed693e751d5658290f2ae2a9eced0c2531677f825e4fb917a7dce238c151f2

SHA512
aa7dbff1328396a68eb74249159ec9918c25ef30256220bd7c8a366c9adf3686297469ceafeb98268493c7d5fdd21110ae1dc53e65ee823505154567e659090e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
beb0aa0f32f08e1ea37bae85b666cbe0

SHA1
5c8404e8b97b2a118f6e48184774052bc7d73e48

SHA256
788c743b33ea024cc182feceaee12ebd5512fa2b4a1d5f11c7636e44cdfd5132

SHA512
e5e1af276fa34518c52bd6a085267a28ab006a5beac8257529154cf03f904628451aea61cd8516c9a0eaea1d059a7573859eaba6a5e7fd7bce77e37e77fab57c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21de7d60ce7072411cbebec505239abf

SHA1
0d29dad40d592b26bd7a2af5ed80f3cccd667079

SHA256
dc0a112cfac307c041fdd499b386f1041b1494bb0b9f737710e55f1a02769a1a

SHA512
fe5b2df2524438a6ef433bbc20fa616928619ad0d7ff74711893e989842be5770efb4c388c2f6150560f210e005feedd4e7b0d8116cec97950d3035da096838c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfbb683dcde42e93fe66b302284b527b

SHA1
a3224b54d554963b8bb513daf3a649b95ece6af9

SHA256
610ab2482898df3c0d1cf1275fe136d2779b34f8d0d9f8ddc23d1539f4536574

SHA512
f2979bd0d2007188ca886f7804b31cec7d4b22bea4b39e6d2bca1129489a0d2be609246e74f53af8968a0be8c093c3eff6dc356881aa9a563e4de04e55fea5ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de1a49fd5a3ee870819bd5cbb9478189

SHA1
08d778447210b78f743cf45cf92270c778a6fde6

SHA256
e397dec60c5d27f40266d034de77d33f082fb3626f8efe14558c538ee81ab30b

SHA512
b19294c46118b7be0e3ed6e5fad90fc9fcbf433c8393c68b04c870cc4b78ddff334b4db14f19cf7eb53a7a044910a3c60898f1b4844082dbb98ef7e83d396b1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
625a1bec2034cc827f9f6ecd45ef3abd

SHA1
eb0c09be3f90f58e4fb2157779dcfb841e21b4aa

SHA256
3cd1155f0af52f9cd6800d9b969d2d88f06d6f4b9c6a8eaf5db733c836524a22

SHA512
6ab6f623234c52685eda6d535ca1319d4af3d0e5ccc7df1f4883553e1959226f6e644ff1aeb0f91283fc74de0ff543c4724b81b5076dfbf04e6a9592178853a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab5cab1b0eedef64b99625f8e14c076c

SHA1
524c72c03782079396bcf9898d44d7a90e9ced6d

SHA256
fb02998a814faa100e04320faa57592d1505dcffedbdae28c8d7b85d5c98bb3e

SHA512
c4d17f2b40cd0c37ca5b70e569c759cd7b3f7d11e69ee528b1187f56ca957e7d83a2a182e0c034a4e5fce1d457b44568a707f0ffb67d2c3a35f6e4d13c2d490c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
246ebed109d7eb95c2c4dbcafe7b7502

SHA1
4a4dcf780b27933d54ff2765339071b3dfb31ef6

SHA256
86958f7176dfd4d11329b0e7c61ff02f49d03b44ed97efb6dc180d3ee55ce35d

SHA512
3b2aaa3c4dc57a86d16dbffddabfaeb51c8224ea05055915f6ea1dfde8d52fd58bd9016cdaee7a7b9748b4c26f6bf1402456dc81bbe774de9bc8af5cfa7a8c43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
916946e336582b961596fa935adabe04

SHA1
1e5af92793b5d54c8995f0942298597d2fa17efa

SHA256
77b4818e103da7fbea0701e8a69e8e2625ad49c43357bea5ba47e0800ed9bc56

SHA512
47e0f55881f78ca17eca401995c76e98fe881456e035a7c90505471206005fc94d8f06a4bf066dd185d8122568bacae784a538b857e0011eea23075cb86c838c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bdc56dc539d1f3b89771d11f116686ea

SHA1
36a9c9fcd628cb56fc09d0e787d0a324e6833f30

SHA256
a614b0e9875202452c115e5f18ac0fd5265faa33dcae5df9c5dcb1603813742d

SHA512
c468be4bfbcd822935f66a99d349267573b2ad3b48b02d6e9a966dbcb37de6fe94bd3cf9d5ef63cade685b36dc7135de29fa3fc49da893c751df577e31590a81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{15768A51-24ED-11EF-82B1-CE167E742B8D}.dat

Filesize
6KB

MD5
7ab8fd7b60a84915033b1ec4485472e6

SHA1
49ed3bc970cda00a5d9cf96acb59b1ede3ba0db2

SHA256
48ebb2dc691d7a347baa728888946a9132d90f2faddac1c8cfc1d57ada7851fc

SHA512
0d36a78b8bb077a5d3bd0a30fe97d49ec60ea7fb5326d4e55839a89e4e4e39b7e257887002eb6284069e462eab5b8a8ff80d93cc0cb430990236cf7a83f4a978

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB79.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC5A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\fsutil.lnk

Filesize
1KB

MD5
a7caa24241b5c0f46af90ecfcad1827a

SHA1
f936f10b9820eab93f642923cb16defd45e79249

SHA256
a0cc66fb34fd6aaa24e6cbf6314d207794561de72390dea442006abbbbfc35f0

SHA512
f843cfbd721f646fb0c9306663205f61db63f7cba5b61a6283e932a65a945b24a8e90a6f41b173905689a2565e0486daef4db3bc6223e269d681d3dc7ca02aab

Download Submit
\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\fsutil.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
memory/1684-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1684-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-428-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-409-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-406-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-403-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-398-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-434-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-437-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-24-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-453-0x0000000005250000-0x0000000005252000-memory.dmp

Filesize
8KB

Download
memory/2540-440-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-394-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-443-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-431-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-411-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-418-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-939-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-941-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-420-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-422-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-425-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-18-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2540-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2932-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2932-0-0x00000000002F0000-0x0000000000311000-memory.dmp

Filesize
132KB

Download
memory/2932-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2932-1-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download