Overview

overview

10

Static

static

3

VirusShare...93.exe

windows7-x64

10

VirusShare...93.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    07-06-2024 17:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe

  • Size

    392KB

  • MD5

    6653ef20d2a3a6ef656d9c886ebabd93

  • SHA1

    bb0cc0b05bb70a3d347faa94fb36a35c771b0692

  • SHA256

    48ff838a7fe98ec2c5bb59a8a76100047abcfa6db824f4982b8e7fdf2110f05d

  • SHA512

    b68b37147ce0d1389d62f5f72ebb616edc7d2ed2aaa484e85f6dc4b6070c9ce973a523e11e311686dc0efb0757fe52dcfa430afb1f48f98ecfdc257c6f3cc360

  • SSDEEP

    3072:viHZTdn6oWzjNtxPPnGau7GMuOYHAifZEeKPi6u7KzrN7ivE5oY4KppRsqYaefiU:QZqPtvGauSM4HAifkGOzrN+HKkalM

Score
10/10
cerberdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.xlfp45.win/BD8A-DE2B-692C-0291-94D0 | | 2. http://cerberhhyed5frqa.slr849.win/BD8A-DE2B-692C-0291-94D0 | | 3. http://cerberhhyed5frqa.ret5kr.win/BD8A-DE2B-692C-0291-94D0 | | 4. http://cerberhhyed5frqa.zgf48j.win/BD8A-DE2B-692C-0291-94D0 | | 5. http://cerberhhyed5frqa.xltnet.win/BD8A-DE2B-692C-0291-94D0 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.xlfp45.win/BD8A-DE2B-692C-0291-94D0); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.xlfp45.win/BD8A-DE2B-692C-0291-94D0 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.xlfp45.win/BD8A-DE2B-692C-0291-94D0); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/BD8A-DE2B-692C-0291-94D0 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.xlfp45.win/BD8A-DE2B-692C-0291-94D0

http://cerberhhyed5frqa.slr849.win/BD8A-DE2B-692C-0291-94D0

http://cerberhhyed5frqa.ret5kr.win/BD8A-DE2B-692C-0291-94D0

http://cerberhhyed5frqa.zgf48j.win/BD8A-DE2B-692C-0291-94D0

http://cerberhhyed5frqa.xltnet.win/BD8A-DE2B-692C-0291-94D0

http://cerberhhyed5frqa.onion/BD8A-DE2B-692C-0291-94D0

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.xlfp45.win/BD8A-DE2B-692C-0291-94D0" target="_blank">http://cerberhhyed5frqa.xlfp45.win/BD8A-DE2B-692C-0291-94D0</a></li> <li><a href="http://cerberhhyed5frqa.slr849.win/BD8A-DE2B-692C-0291-94D0" target="_blank">http://cerberhhyed5frqa.slr849.win/BD8A-DE2B-692C-0291-94D0</a></li> <li><a href="http://cerberhhyed5frqa.ret5kr.win/BD8A-DE2B-692C-0291-94D0" target="_blank">http://cerberhhyed5frqa.ret5kr.win/BD8A-DE2B-692C-0291-94D0</a></li> <li><a href="http://cerberhhyed5frqa.zgf48j.win/BD8A-DE2B-692C-0291-94D0" target="_blank">http://cerberhhyed5frqa.zgf48j.win/BD8A-DE2B-692C-0291-94D0</a></li> <li><a href="http://cerberhhyed5frqa.xltnet.win/BD8A-DE2B-692C-0291-94D0" target="_blank">http://cerberhhyed5frqa.xltnet.win/BD8A-DE2B-692C-0291-94D0</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.xlfp45.win/BD8A-DE2B-692C-0291-94D0" target="_blank">http://cerberhhyed5frqa.xlfp45.win/BD8A-DE2B-692C-0291-94D0</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.xlfp45.win/BD8A-DE2B-692C-0291-94D0" target="_blank">http://cerberhhyed5frqa.xlfp45.win/BD8A-DE2B-692C-0291-94D0</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.xlfp45.win/BD8A-DE2B-692C-0291-94D0" target="_blank">http://cerberhhyed5frqa.xlfp45.win/BD8A-DE2B-692C-0291-94D0</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/BD8A-DE2B-692C-0291-94D0</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Contacts a large (16390) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\auditpol.exe
      "C:\Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\auditpol.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Windows\system32\vssadmin.exe
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2736
      • C:\Windows\system32\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3012
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1984
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:372
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2920
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2920 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2248
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2920 CREDAT:865281 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1052
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:1584
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:2596
          • C:\Windows\system32\cmd.exe
            /d /c taskkill /t /f /im "auditpol.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\auditpol.exe" > NUL
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1252
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im "auditpol.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:852
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:844
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe" > NUL
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2792
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:2984
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2856
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2356
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2964
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
          PID:1400

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url
          Filesize

          85B

          MD5

          879b445140578bf660519a32ddc026c0

          SHA1

          b46804e8e02433d55ac9555a9257eeaafc646d32

          SHA256

          7e7e37bacb611148bde1ca8239988c4f8173319a1a88a3a5e8119ae0d8e23922

          SHA512

          873586926dd8f7c1f875541fd70d77c1346ccc4d73337d22a3ba1591d7fb2336f5babeed8cf7c16366290f621e5b628070579ec083d6fda64712ccc83d756cf1

          Download Submit

        • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs
          Filesize

          219B

          MD5

          35a3e3b45dcfc1e6c4fd4a160873a0d1

          SHA1

          a0bcc855f2b75d82cbaae3a8710f816956e94b37

          SHA256

          8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

          SHA512

          6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

          Download Submit

        • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
          Filesize

          12KB

          MD5

          760cc6692455478fa92fce030c472d61

          SHA1

          dbfe0c1822ac27bb71202d0f2fdf86f01f98cc04

          SHA256

          781ed12b333380bef0192f0a556142220a4b29fec94583d2f2c706ca84b1f228

          SHA512

          5d9f8db42524762187d17a1ca0749ae273ba5438e66562b36f20f97c1c53ecc605e7a9bb7cd7111223771a8eadde7bbf992a332f2e2afce120a62b143ce14b48

          Download Submit

        • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
          Filesize

          10KB

          MD5

          6b7dfd030606b2357e281d6f9233d79b

          SHA1

          3e310e82e371338e1ef717c07cf466786c91bfc3

          SHA256

          523fa18c26b106e82163b97011080080277f6f33a75e8e9bb36e60e4db7d9448

          SHA512

          17485b8324d42647918d264cc775b3980f7363ec9c0def6635c71c913f633b114118d37d3dbc054836cf6bb79a92e5bcc2d9a87110b616a84bba36ea59e399a9

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          135d134c77cb10b7dfb5afd5c48f4c5e

          SHA1

          fa0d00a327b805415c08ed958d09a349f59868fe

          SHA256

          b2e1ce338c9331ddd5dd543703063f9c0817891f958f258b1127c4636f3f65c4

          SHA512

          b747ffe03c3ca1beec947f308f306046e1d3f33b3f336a8ee3f8fb34b76794fe30320995454be94175bd46ec361a2c7777b92cba45c7b8372fdb7cf73def94e0

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          d0fa92ad5c10d0d06aeb11014dced370

          SHA1

          5efa2df315d5f1688ebe5e99e73fda7db76cd696

          SHA256

          d16c6e3d5784fdba5c3bce14160d6bf4b4e8bd6c07f2a6d4cf1803e333feffb2

          SHA512

          39dccd7acbb1208511ae3a9c5f422a99b3e16eca5f41ced8e334a59aab14fa041971ea2e74f73f4e938680475bb2cf42f37e9bf0c01804ddccc127de1436b87c

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          8463db36609372c4c80e7e04afcf8ddf

          SHA1

          db66b60673d40fb64947320396ecae5a0ac53295

          SHA256

          f83c3f1b89838838159fbea7e0b71855cf283f67a8f5ca247a77f2604a32a229

          SHA512

          cf649c673dae44bcbbc698a49fdc8a9b2a6c49022936a4eb9ba10cf54b4113a3c96fd9e073244b9a4756c31e62de8e2554548ec7f7b0769f5c1189af74f63eb8

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          bc8ec1a3b3101042d666e4af77844d04

          SHA1

          3776ba6b149c3966a5072b75783e79cfbc260c77

          SHA256

          fe8be250063f07521e5b5926f9a84669b1f9bb8a74e9ea0007d1f1ce7240d404

          SHA512

          90aba5c0ad358b1bf5e4b3d4c0112491a4fbf429f4d4dfdc978e39bd2de639e4bfea6d5c832fa68a18d981a4d4714a25f33b3f0e17985430544ae52ca6349921

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          1ef7758a17d8b79490cb9b84e2832a05

          SHA1

          1edafc6107f3a80ea6155c457c5c448be11a4d7e

          SHA256

          e16399a5c3a2c3568b66c248336e4c9604ece4a8e4cdddb2113fedd3123b2f4f

          SHA512

          b59f91fc09fea58185bfc519ea2bf96c85f9cad9607b0581f6dae4eceadeab495f62e8f1b2e170216a967ed6a9deaa9ba9fbbd640e0520d3aa6f8ed253d55b0f

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          8f369eaf09c9be59d1a0767bad435b3f

          SHA1

          87c2cccbe2b89d9db5f5c2e72b7efff3fd08e73f

          SHA256

          c668b0bec40c9fd9e2e63bde91db365b79acbe65504c73c2c6bf0c5033b077d3

          SHA512

          e9061edb21ca14bd9155876290ed6be6e82d857ca84a6404a33812fc5283c7ccf75c4402e5cfe947e16ee92a983b85a19f4bdf9ea4dc491388e5c3d6e1da1965

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          2f71242fad7a3c016221b387fb686772

          SHA1

          5e3995f8a5f70d7befa59ce422ce9b4b169f2de7

          SHA256

          62e98f638a1ca99c1de1d25f8184227275fb872ccf7e3fcadded8a34efcd2b64

          SHA512

          9c43f17688f6fd716e40ce8393b256e70fc4d75967b66b98ced41ebb0afe0973a5c918b902230c0e6d52a829c27d97da637a6fd46dc79097e017f4dbb12d3e00

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          9d5cea2af8d44b72311bef9aafe08a18

          SHA1

          a3fa9ddd79a451f5beae990d380bca014ef2f392

          SHA256

          6708a1c1361a87b9181f657df14559346f8afdfe8566f6ed56a8c8ab4f70c9c4

          SHA512

          c4bde200f4a4743b356dc3f588a33566f3d5003abd7ed16d756bd81b9ff19f55f9075e30f95fe6bce012a31baf2ad48f1c8cf5c0fd9adcf2db034edc9560ce5a

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          58c834131bed9479267fae74ef196bbf

          SHA1

          08c897aadc2935dd9f4e583e8aacd98ff173e6b8

          SHA256

          4c65c2d8048d6f5d39e06794e4993b38e0ed039de6bc4aeb2805b958f689fdb4

          SHA512

          da76607aa37e25e964a2641bd2bb05d3403a890c7ba71aefb0973645b35bfaf0c4428239bfecf004c1a515cf765fb7c7eb0422860c50cf3dfd1135df4c4f4a0c

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          4d2601ac267d65f992d74ed8a8b7ffbe

          SHA1

          0cdba7999b028342139539ac7b02bdb30bd079a3

          SHA256

          889e0f5b7bcc3f22381764d10cc5644bc4d6c1ce24e9e2cfde7d9beaa91bf233

          SHA512

          005aac83c8fc807138a44925344f25e53c30914e434c72398a41ca46f6db5496ba2aea21556cd2acf442ab8d1c92ce677554e9aede51918a7356b40d569e38da

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5EF19E51-24F1-11EF-A9A6-4658C477BD5D}.dat
          Filesize

          5KB

          MD5

          400e4948352feb2973ab54c110303648

          SHA1

          546247069d591e8060fd5bbfc388995841c5d328

          SHA256

          b7e37a2c23193105cd456f5ef67ed9c92e4d1357f0b0a7d443b1157097dbe650

          SHA512

          91dab6462698542a1cd8abb22e66a680ee6aad85a0bb3aa35447374fd5fac28b304c54008cf5b8213288a1c2c9bdd2175b6231bd80bce9c30a12894cf15ba8e3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar2718.tmp
          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\auditpol.lnk
          Filesize

          1KB

          MD5

          e72e2ef047a3458fab3fc8f2abaaddea

          SHA1

          3de866626b2016ec511038e1c864de290c5b0340

          SHA256

          0f2dbcb2a4ad9e56557ad7356450e4eabfc9b6d46a1b257161d3b42bb8973213

          SHA512

          6f71266231c7e6178890c33012e6d97ace0a21a5ec81de0f52b6acf846a5fcf39d6057460a614203c7e176e96bc27d5f7b47e0f5803a28d8756789a215f93264

          Download Submit

        • \Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\auditpol.exe
          Filesize

          392KB

          MD5

          6653ef20d2a3a6ef656d9c886ebabd93

          SHA1

          bb0cc0b05bb70a3d347faa94fb36a35c771b0692

          SHA256

          48ff838a7fe98ec2c5bb59a8a76100047abcfa6db824f4982b8e7fdf2110f05d

          SHA512

          b68b37147ce0d1389d62f5f72ebb616edc7d2ed2aaa484e85f6dc4b6070c9ce973a523e11e311686dc0efb0757fe52dcfa430afb1f48f98ecfdc257c6f3cc360

          Download Submit

        • memory/1724-20-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1724-2-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1724-1-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1724-0-0x00000000001B0000-0x00000000001CF000-memory.dmp

          Filesize

          124KB

          Download

        • memory/2284-436-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2284-427-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2284-424-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2284-419-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2284-417-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2284-415-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2284-412-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2284-411-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2284-439-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2284-433-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2284-449-0x0000000005090000-0x0000000005092000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2284-430-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2284-421-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2284-938-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2284-413-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2284-403-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2284-404-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2284-407-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2284-25-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2284-26-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2284-24-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2284-22-0x0000000002D20000-0x0000000002D21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2284-14-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2284-16-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download