cerber | bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7

Resubmissions

05-08-2024 22:23

240805-2ba2rathle 10

27-04-2024 00:38

240427-ay3xhafc53 10

20-04-2024 05:28

240420-f6ht7aad5w 10

Analysis

max time kernel
471s
max time network
916s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cerber.exe
Size

604KB
MD5

8b6bc16fd137c09a08b02bbe1bb7d670
SHA1

c69a0f6c6f809c01db92ca658fcf1b643391a2b7
SHA256

e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678
SHA512

b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24
SSDEEP

6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01

Score

10^/10

cerber discovery evasion ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___0PY8D75J_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/BE36-5997-BCED-0446-967C Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/BE36-5997-BCED-0446-967C 2. http://p27dokhpz2n7nvgr.14ewqv.top/BE36-5997-BCED-0446-967C 3. http://p27dokhpz2n7nvgr.14vvrc.top/BE36-5997-BCED-0446-967C 4. http://p27dokhpz2n7nvgr.129p1t.top/BE36-5997-BCED-0446-967C 5. http://p27dokhpz2n7nvgr.1apgrn.top/BE36-5997-BCED-0446-967C ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://p27dokhpz2n7nvgr.onion/BE36-5997-BCED-0446-967C

http://p27dokhpz2n7nvgr.12hygy.top/BE36-5997-BCED-0446-967C

http://p27dokhpz2n7nvgr.14ewqv.top/BE36-5997-BCED-0446-967C

http://p27dokhpz2n7nvgr.14vvrc.top/BE36-5997-BCED-0446-967C

http://p27dokhpz2n7nvgr.129p1t.top/BE36-5997-BCED-0446-967C

http://p27dokhpz2n7nvgr.1apgrn.top/BE36-5997-BCED-0446-967C

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Blocklisted process makes network request 5 IoCs

Processes:

mshta.exe

flow pid process

2181 2696 mshta.exe
2184 2696 mshta.exe
2186 2696 mshta.exe
2188 2696 mshta.exe
2190 2696 mshta.exe
Contacts a large (1106) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

2884 netsh.exe
2736 netsh.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2920 cmd.exe

flow	pid	process
2181	2696	mshta.exe
2184	2696	mshta.exe
2186	2696	mshta.exe
2188	2696	mshta.exe
2190	2696	mshta.exe

pid	process
2884	netsh.exe
2736	netsh.exe

pid	process
2920	cmd.exe

Drops file in System32 directory 38 IoCs

Processes:

cerber.exe

description	ioc	process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	cerber.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

cerber.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp2EED.bmp"	cerber.exe

Drops file in Program Files directory 20 IoCs

Processes:

cerber.exe

description	ioc	process
File opened for modification	\??\c:\program files (x86)\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	cerber.exe
File opened for modification	\??\c:\program files (x86)\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\steam	cerber.exe
File opened for modification	\??\c:\program files (x86)\the bat!	cerber.exe
File opened for modification	\??\c:\program files\	cerber.exe

Drops file in Windows directory 64 IoCs

Processes:

cerber.exe

description	ioc	process
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	cerber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1532 taskkill.exe

pid	process
1532	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEmshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a70000000000200000000001066000000010000200000006e707e3bcf086b41336705e4f7d2d719eb0077fa07d8b430077ccf2c4408782e000000000e8000000002000020000000d939c8b79b1ace5ba2726cc4196c00e84fbce768d432c96d5ae6fe9294ec8f2d900000007a4e22ef439bffd05415303893aa9776d16e46fb766eebc767c622eca33018ef8e1d0313c102cac8ff682ddb620dca0994b062cc222f0e2e0898841b4ac65812e7ff82451cf5a6e75ce80040d20d60ba86b44fd433c6efd53ab688e5906ef3e6695dfb1149a21bb6dee64911658fa9a2f6f599b80963265f3d25a615dd1feaae611870b743f5332ffce9c5bcdb4bc89240000000746f8b84b479bd89535ae89f57079de51d46ca5b916ee36a4abb57a5cd1000fa2b23b2e9e415119fa1db901507cb88b73e80bdb7e5f7a7941a2b9e21c54839c4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000aa904039753213c62f3cc06ad46a120f97614497146c1773ef471569fa9fc6c1000000000e80000000020000200000002e7b46305bb88deed16b90eda57dda7c7a882679d7d1b8998cb5ee08974faef12000000095abb9e8b463b9c297651433730bce366a3d914f0787ebea32efbaab5b92249340000000f903aa765b1ab2d6964223bbbf505c7bb9f44393f71fbb8807f21c1511fecdea90de5b24d02029954c9460d90d2128bd6796e6df88b2568a534929c2a6648f66	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0dfe5643b98da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{989D0A11-042E-11EF-8AAC-6EAD7206CC74} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2704 NOTEPAD.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1224 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exe

pid process

2012 chrome.exe
2012 chrome.exe
2012 chrome.exe
2012 chrome.exe

pid	process
2704	NOTEPAD.EXE

pid	process
1224	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

cerber.exetaskkill.exechrome.exe

description	pid	process
Token: SeShutdownPrivilege	2340	cerber.exe
Token: SeDebugPrivilege	1532	taskkill.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

iexplore.exechrome.exe

pid	process
2420	iexplore.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXEAcroRd32.exe

pid	process
2420	iexplore.exe
2420	iexplore.exe
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
2420	iexplore.exe
1872	AcroRd32.exe
1872	AcroRd32.exe
1872	AcroRd32.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

cerber.exe

pid process

2340 cerber.exe

pid	process
2340	cerber.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cerber.execmd.exemshta.exeiexplore.exechrome.exe

description	pid	process	target process
PID 2340 wrote to memory of 2884	2340	cerber.exe	netsh.exe
PID 2340 wrote to memory of 2884	2340	cerber.exe	netsh.exe
PID 2340 wrote to memory of 2884	2340	cerber.exe	netsh.exe
PID 2340 wrote to memory of 2884	2340	cerber.exe	netsh.exe
PID 2340 wrote to memory of 2736	2340	cerber.exe	netsh.exe
PID 2340 wrote to memory of 2736	2340	cerber.exe	netsh.exe
PID 2340 wrote to memory of 2736	2340	cerber.exe	netsh.exe
PID 2340 wrote to memory of 2736	2340	cerber.exe	netsh.exe
PID 2340 wrote to memory of 2696	2340	cerber.exe	mshta.exe
PID 2340 wrote to memory of 2696	2340	cerber.exe	mshta.exe
PID 2340 wrote to memory of 2696	2340	cerber.exe	mshta.exe
PID 2340 wrote to memory of 2696	2340	cerber.exe	mshta.exe
PID 2340 wrote to memory of 2704	2340	cerber.exe	NOTEPAD.EXE
PID 2340 wrote to memory of 2704	2340	cerber.exe	NOTEPAD.EXE
PID 2340 wrote to memory of 2704	2340	cerber.exe	NOTEPAD.EXE
PID 2340 wrote to memory of 2704	2340	cerber.exe	NOTEPAD.EXE
PID 2340 wrote to memory of 2920	2340	cerber.exe	cmd.exe
PID 2340 wrote to memory of 2920	2340	cerber.exe	cmd.exe
PID 2340 wrote to memory of 2920	2340	cerber.exe	cmd.exe
PID 2340 wrote to memory of 2920	2340	cerber.exe	cmd.exe
PID 2920 wrote to memory of 1532	2920	cmd.exe	taskkill.exe
PID 2920 wrote to memory of 1532	2920	cmd.exe	taskkill.exe
PID 2920 wrote to memory of 1532	2920	cmd.exe	taskkill.exe
PID 2920 wrote to memory of 1532	2920	cmd.exe	taskkill.exe
PID 2920 wrote to memory of 1224	2920	cmd.exe	PING.EXE
PID 2920 wrote to memory of 1224	2920	cmd.exe	PING.EXE
PID 2920 wrote to memory of 1224	2920	cmd.exe	PING.EXE
PID 2920 wrote to memory of 1224	2920	cmd.exe	PING.EXE
PID 2696 wrote to memory of 2420	2696	mshta.exe	iexplore.exe
PID 2696 wrote to memory of 2420	2696	mshta.exe	iexplore.exe
PID 2696 wrote to memory of 2420	2696	mshta.exe	iexplore.exe
PID 2696 wrote to memory of 2420	2696	mshta.exe	iexplore.exe
PID 2420 wrote to memory of 2808	2420	iexplore.exe	IEXPLORE.EXE
PID 2420 wrote to memory of 2808	2420	iexplore.exe	IEXPLORE.EXE
PID 2420 wrote to memory of 2808	2420	iexplore.exe	IEXPLORE.EXE
PID 2420 wrote to memory of 2808	2420	iexplore.exe	IEXPLORE.EXE
PID 2012 wrote to memory of 2860	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 2860	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 2860	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1332	2012	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\cerber.exe
"C:\Users\Admin\AppData\Local\Temp\cerber.exe"
1⤵
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
2⤵
- Modifies Windows Firewall
PID:2884

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall reset
2⤵
- Modifies Windows Firewall
PID:2736

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___9MTGV_.hta"
2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2696

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://p27dokhpz2n7nvgr.1apgrn.top/BE36-5997-BCED-0446-967C
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2808

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___0PY8D75J_.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:2704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "cerber.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\SysWOW64\PING.EXE
ping -n 1 127.0.0.1
3⤵
- Runs ping.exe
PID:1224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6cd9758,0x7fef6cd9768,0x7fef6cd9778
2⤵
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1236,i,11925105454013487001,7691696686823801209,131072 /prefetch:2
2⤵
PID:1332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1236,i,11925105454013487001,7691696686823801209,131072 /prefetch:8
2⤵
PID:2632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1236,i,11925105454013487001,7691696686823801209,131072 /prefetch:8
2⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2188 --field-trial-handle=1236,i,11925105454013487001,7691696686823801209,131072 /prefetch:1
2⤵
PID:1144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2204 --field-trial-handle=1236,i,11925105454013487001,7691696686823801209,131072 /prefetch:1
2⤵
PID:108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1364 --field-trial-handle=1236,i,11925105454013487001,7691696686823801209,131072 /prefetch:2
2⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3240 --field-trial-handle=1236,i,11925105454013487001,7691696686823801209,131072 /prefetch:1
2⤵
PID:1628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3476 --field-trial-handle=1236,i,11925105454013487001,7691696686823801209,131072 /prefetch:8
2⤵
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3592 --field-trial-handle=1236,i,11925105454013487001,7691696686823801209,131072 /prefetch:8
2⤵
PID:276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3984 --field-trial-handle=1236,i,11925105454013487001,7691696686823801209,131072 /prefetch:8
2⤵
PID:2316

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2112

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
PID:548

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
2⤵
PID:768

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
1faa26ae52cac819bc42e2ee6f6ef61f

SHA1
4a06963e3a50439e0a23dd8977e7856a1c3ae579

SHA256
bdf3acc2946bbc6cd65df5af28acb5f5155d13fe2d2f889a479c2039413c2c3b

SHA512
fb7551568671c946a3882b9435955624b01fc14fccf80c3d2554582d478aa613d9ec07b86e7f2b4f250933d5eb805bdf3c57239bc26ff854e3f243381e33a04c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
c612d7a8e689e8e2e21e5bddad5bac7e

SHA1
3526eeba72803091f53929d727420cf51d0b178c

SHA256
9ccb8fc26ec0e2767d45d2718ecc2ac55e864cb1fe8672d777ce8ab5b1926e53

SHA512
a104c0aaaf0cc9017840807aed132e3af334b6f93944a8c3a2c8cf5e982af63e727d70a16982d335102f6bcb5d7925171b53f6f2a2932d0abd178cac247d0dae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
16a790300cba1e10605abc2e57419027

SHA1
0219e45930e48c5ffcd460777fae8c7e53c8ef6c

SHA256
e1d6f62ab3f4eb0bcb306b3b308a87edac554a6e2dda75ed80258ea8897ef645

SHA512
2636a87150f5fb4f60aea1dd49b9ac349e90d2bd0d143f105a09a6a43d03be9741aa5f8942bebfa64378f9320fe96817701f2401a73742861c005e1991717e34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
732215fd7d19d7695897c81fb0b11ca6

SHA1
d654b2381a817bbeabfbd25130cc2644fb312a3e

SHA256
f0cd531ac4ce0d5d9caeddadbb8a8934601d52984106bf14a2b427463a1d6c3d

SHA512
213a170ef85f8aa9ab16d013c876fe0a4da9f941a212e1412f294b6cefd1b552a0d3ac57b99b9c802236aefce83303df3d2eb22611953d701f74b5fe22e2009d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
deb9933c405436bf0dc4fb139c1e86d5

SHA1
ebc5f6ba55b2edb85f6af384e5c34cb44025be86

SHA256
3940d8512bd0f84e3c9c28668e720d010aa8d662cd4567ea8dadad8462e1c791

SHA512
b24836297750c899e0648be632fc3eb371872688d6b90f80d2e400a710cd62bba3c31d66f7344c1073182da44d5ca21344a909050f74d3cdc0bae4674b24e261

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e310caec009661d3007cca1c1a830d9

SHA1
d4841e0449057cb24750b908f0f1242aff0ed8ce

SHA256
751bfcd0728ced89dcc3c98f11e159c8cb7a58371450016646a0e0cb56b4de1a

SHA512
4cf2ae4017e12cf8524322ed187d7363b5ca8b094817260c3f2019e44f8750aabab4012752759c1500acb327c3c50a2c6a8a649dd3e85c7f800b123fc8d78b3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9742f5ee384895e466ba4acc9cb5ffc3

SHA1
1eef2d0c222469e38e858cce203fae84c8bf9cd3

SHA256
cfe64ff67d953b83ea7302fce727a317a259aae6d026ad535e605b485bcdd98d

SHA512
52e79a11ec5db32abaf95242d91268f6547aab76980883a73f7d9425254981fc2fa51ffe0bf41bff640a9bfcf7ca0bf3f594a4420776147cc74bbd28a76bb07e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a7f9962aa9c09b95d7e07508a4fbec2

SHA1
8845194ccf96f3662c8655a74a14c305a74a0095

SHA256
4653a8b172b827cdd6809f5ab144616c5f52687904c6399bcc088fc95a64a102

SHA512
d97482fa6d5bc4738533fd96d30c1227c7d30176fbac74dca4ce9c472d1bba9fcaf084964c15a5527ca68a73974665102ce534be16304d2201317764ddeed66a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
56f1c410b6ff0cba161d1302b1c7f47d

SHA1
eebc81c0c71ad4dc91cdb9cfea92d5ef22929f1e

SHA256
6c71f7489076f1b5b5451c1fc0a7041640daa8cf7d3b02087b3efca5a20a499e

SHA512
27c9fcb3104792b8e61f81d7ce51a4ab854b0b64e896734d7e13bd39af1092d9cc22b8829168837d19506ec67fc167c7793029b1bc8f53af5dc6963e6fd6d8e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
789fc37f9ca81d2e8393d8143c1ef42a

SHA1
34cd570ee15d9b32de4d0b7a93899fec8c1a7d35

SHA256
99694c2dfbf3d575e6f05e36a209f4af4e7eb1140eaae6b6cafc650c8253aa36

SHA512
f858cb82d0e508c736db28b9f7a7d4bdbbb3baa232b9dfdcd862dcea8db2ac535e16cbe5a64b204a09669fb0ec5064f23a480137912256b352df3f0ffc1b0fcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e3a01ac795fe878bdda6dc95e508e7e

SHA1
cf32c559c598435022a45b6b015ca9d07dd393ba

SHA256
133b639e57146ea4713cb66aaf56facf4e26e76b390d1e15335f17bb409d7361

SHA512
0bfcc4efe3030b68bd6bdf41bc45943beca8a5d1b4e8b6c68895c9b53a75f8cdcda5c4025dad702bb9953e3f0167789143f81f77dee996d044238e8e5f8c53fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
19005961793334c18bd29e118e80fa7e

SHA1
7d269353ca46ef725770a42ee0e7a032a6421a09

SHA256
0f430358a69c09d8b1d8e59ce91b0ef1b852c0d54df3e64fa3f88908582942ac

SHA512
6d4d9d353fd6b1fcc4354d0db21b5e00a2d271e7e150a459e313d024fb7e8de9b378a43241930e0fb3ee71e271170ae1a01e325b72b27a481b661d6a9f4c1a2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f19a764af99146cb44657861120029f

SHA1
b7689a6c999b9faeda4ac12bfd6efe42783afefa

SHA256
ddaef40409655e1775aef05267778efc759e6ecf94c9c8a947e29fe0fdec1c53

SHA512
5e6027f7c1f240d0811145c42fe300e84896f15a4aed802cff3268dd475e1f5004149890ad3a78a1804079258eca84b899140e37333fa2742a66ca0e8690d672

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f968d845289cda650c8dcefc95d8258b

SHA1
a3c0e50d6f473d7528476852b2258e5ddc56c9b9

SHA256
1c0e2e318d874dcaeb08f4cb4f0548055b0f2132caa02c61ad3ada5b6770c380

SHA512
c1452ddf3340fe9414355eeaeeabc469814fd66f03dc34c5db350bb13ed93d11facebdc128cdc39a00966a471c28b32ba8cb21aafc4fbf4a71f1bac647a76993

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6c42fbc459d724ad59ae94669d104208

SHA1
59f2d9faea2d2006ee0f3da71a7bd6b0a11d44b9

SHA256
0e273538580e1f51d73a3d8c6874ff76bc6e66e0df43061ca20c3b0b8e751a6a

SHA512
829a896ce4fc383fc4a3d4cd26dbb104020079e795392adfd4253a6168f6d60863cedd40f6f5a346c869f1ce71dbedcb6215229ed260b1e1aba4d457d01c02cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45a5f884267c5444e8aa17c855d9829c

SHA1
314178ea100a271471b8bb1c3ddde69b83983a4b

SHA256
56348bd4817a7186b0cbbab6193113e2bf0f5ab672aea67b1eb57d4e1684ac21

SHA512
733d038f36d832d7a5d402ab1c80ed15a67e5a55d3f17c64db7012e6b3fadc73fa863697fa3da782f44e3b9f531dbca5cf881d0ac0985f71c344bf81faf6fba3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dded3003fbf1afa30193df8b67c6371f

SHA1
b0e57ad13d73ea8144f46dca33dec085568c78a2

SHA256
4165903d4a5b3de90f455ef30b29af82b9ed48c6d918f4f79ca7732851cbff6c

SHA512
6445e8d784e1c476668cc99f66aa392ef45c7c8368aa89f490316622c82ed4c39be2b8a4bdc2437d391425fcba3d0ca4f519802b9be1dd331695f6d266f58da9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d7df2e7a13628a44363b4f41c71f8cd6

SHA1
3edfaecc1b83c269f933f5c32bc6735fa7ff538c

SHA256
e67307dea36742d79cc9f093aea84622b45a73fc051de19d740e51966888b0e7

SHA512
69d137a6025f6032557f97a2cd7bc09ff626fcf368dc2a968d22f5f4d52cef715558fdbfe08fe4509597144d7edfac7a0e8b4862bccc495b2394be14500e3234

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
12fadd432536e2b61a83850f7231db3c

SHA1
8f2f049e5b80f2df3e6eac3241cf417f1cf73a87

SHA256
3c50a0e64c1d755f368b7599e571580e75e2c026a6ed85dbf39041e0e5fb79ed

SHA512
91752d7c894fe40a7c11f68f7890a05757a97477047f6e649ef6ed5805f6866d89cba7ca18c1602e0ae125ed6fe9d5bb08db7c8a3d13467ba8e10f520521a985

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1db1e1efab2647fbd56ccf091a158cae

SHA1
3de9c36dc7316235e78d5fc026c418f0142cf5ff

SHA256
29c94417f80b392e3a9efe179418a5695989d1b114cf8a0805c73adb1ccbdf02

SHA512
0f5a62ff5838c69e9032b6a2dc2f94978c3d83639eee10b7550937e2618eda8b0ad620067bbd633bd373b8df3cfd6ed412989554ca32bbd1de9f44aba733cff7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f1f7d944c044fb7f225dff4a9ae2eb2d

SHA1
aec250674a93e2959609febaa68f5a84882bf2dc

SHA256
f0d6ddf950c454f622f5f2f4ec87a23786ebfec283bd7ba46ef45a5767de6c65

SHA512
8a769ad8545b22e6b510eb346d5ad56e20e1ef9679da6ac656efe4bf82a91f81f3fd3bc3aa77d71edc5e205262049e57f0c09b4adfa76873dda5bef34a0d0eff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4fe7991012701f1a8509375fde6ae03e

SHA1
872e67499c7c6fbdfc2096c3e6a6a253cf869074

SHA256
7507621c87a922a7871a3c2dee0f10780eda45f9ad151a283e87754da258cf90

SHA512
30de5014056e52f6409067ff34f12958138f7d3662555e0b996d543328e55727bc8cdcd3c26165f026115c05a83f10be6e333f24fe30b0a52fa4867ffa3d3d11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a3856e02fd858759a61ed0b08fbcc288

SHA1
d20df3c3bba5f51c208946a539016078c0571d4a

SHA256
fcd136b5143d94957d6b142405773ba998bd652c316bf7eb64962a211a11428d

SHA512
6b1af1f6e0c54ecc053392dc08ad84b3a8c267ff3283c74e30b1ef49341e6c338b5ed89884304b50ef85823776d07061fc02d7bacee9a940d7eb722456e7699d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f6fd036b93e2abc914333c40b759375a

SHA1
4687c10157ee63248a6782c7f00f0d1b6abcab75

SHA256
29fab15fca19576ae52d03d06aaedb2192fadddafd3dcd1fea262db06d4ad38e

SHA512
3e15f823d77fd31d46ccbdedff2a17cefed0486acf3fd2e47904ca792f7a356122bf062f52c3dfad00ecc1da96e2317aa697077684aef5aa2bb5321a8790ce94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cd015771e82006ac11c38586e582da4e

SHA1
447b512f36f0d19804ae7034864822d084598428

SHA256
b79687b8d91fd6f97ce8fe6bd12de13d068d7499c641a34ce61c886b09e0d5a6

SHA512
e39c9ffe69b0409e06f97b17b2f8c0b648bb3315cddb6685ce254d2ac5b717e42bfc6907a709188122d1c10ebe7cc9c01b2709b2b5ef27c09964e084b620a2bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d232657f9d177f83f9238b35ca9ea310

SHA1
9ca794fbb0f456201c07a98140f249357bdb3799

SHA256
c3a542b2a26be7b672c8c049f3b8dc53921fc6a1986c9ac0850ebc9400a48e9c

SHA512
a76300cc1329bb1d1a1e0448b8b7c4b96d963972abfa2695918c33227ef5a97d6ce48502f732ed07b0dc7e1d3ac56773a0971e99c0f7768d67091f7e8715553f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
94ca7ba0ff24878446d8121fc19d66ed

SHA1
dcdd926e658f5eeb077886cac5112609a975ebe7

SHA256
6954bcca69a3e47648c1a6b343c53dd9b22f5959ea0858318dfdbcba7314758a

SHA512
1cd0ea2c32a7b078d836d82ad5f3eff42d494554425d7c918c4ffae8c179f5798f1953cf1ae7985f8eb8f6706d04bfe308701e58bcf47417dc20a6a6cda4b2cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0c61fca5d4043d669bea87036d3c9786

SHA1
97df6bd63b8597233b76a85880a08268cc224bea

SHA256
ec569e25577c4e68434f9b7939d598910c6243d6659e6c8da2e2b8c20cafaf59

SHA512
8aa17c96249a106f9e66ed9503f21977470b4a1dba1f7705a5dcbbf3d06e4817082e702fe1a609c8984889aff6f4438498736cc1fc646182d0e864529ca3851e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b1cd001b8b462811f2ccd52e5a2cb75

SHA1
3d3073bd14b2fd3afb83368f683f43ccb13fe2dd

SHA256
3c2dad6af8ae2dbae475d75fa1cbbb24c14945c42483618a2a07c7c3fbcb1dee

SHA512
2f92dd9ca148bd9566290264b48eb649177abb6099d779780ac0314bd86df3b8a9e6868921a0facfbca95d49a2ce8b61a9ca1c6911799765f35f6c6d37e94400

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4454164575af281e08f2e76f933952b9

SHA1
793e3c451b7961891b90bfff86418a6c41dc4262

SHA256
0bc11c7a7ad0a45ee81aeb6a25b0473f77744012d3d811a7eedad80517b0d378

SHA512
251dc68fe9a45c9c574d15b56d3bac1db6f62796dbec125098351850f3e749455d3d6a4ba785a449037f4326bc831a9fe445c8d780bb6f423bbaf00854c33982

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d5d38bca6c8caaa0bfe2fa39e4455e66

SHA1
52c640e71f3a1b4736ccf5cf340af6dd50c05396

SHA256
db33057239d7624d4ee78e6e8487f70f7790ac1f8521ad2ea1962ce9afeff820

SHA512
f84d1680e45621f9e00bca8c7073502e8d016496ca69899171feb97e47cefa1c7feea8e27c347577b415c2da8206243999747f308182ea1257f3444666c0bb61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba0bd496b0be659d1a5cf4bbece17493

SHA1
3e3413463c9df7f48555f33bae5467e2265e302a

SHA256
783146f640a9c7abe8079b8cada5a3caa97e1ef50b1efe9e7a0cb301d90d31b1

SHA512
7780a3902ea2a49a165d69154728e76e11bfd09038dea9aa8a752d13579f58c44ae4b9d975eb8f10596a08b899e404763059d1a35452c52206bef77571e43d67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1229e7432f36676e71b1946a1fd9d3e9

SHA1
d5976b36e6647df0cdb1aa1e0e861de992f02930

SHA256
b2ebf3f58dd3e54bb424e644d54ad1092b93a5c9ee528953eb8bf3a41198c0fd

SHA512
58e7a06cbf84b5c1a70e21a9626c3e7fa4fa61cba3bd7c40f4b5c28b03dcc10a6cd47bebfe3948f67220eca02036865dfa29446b4b8b65b131e31a5ddc045e11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
354f25a775b961c61003ccbf726c848d

SHA1
b4c8cc32375864fc2d7999e7faed072d138d5587

SHA256
cd56cf29f87dc1fb35cce9d6d56bf838c195a514eb32ee3813d7ac8becf41082

SHA512
cb57856880316b77f470bc3adfc956651a0014772695392d5d63cd1e38e47239cb6863e910b2d992e9fdcc5162e6312c94f410e47eec39af7a5067716b3aeed4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2ca29beaac83b6808363f4fd2d8f0009

SHA1
c2c94f729fa1d23053f371f5d67d9bdb87341c93

SHA256
aadc3a625203e6d8ac7b020c13d756dec071f4baad30faca7dd61ba92c35a831

SHA512
3c5262f20fadd26f695a789ca3ee08883b6c8b5b59e4094377b045bb30c5ccac1cdf537b0870b7fe80aab5912cfa5be8d3c56c0db2cdca669be5d252b7834cce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4ce76705f07ed9ec436846f94220ce94

SHA1
6801240435048f78cb6aa4316772a4285ff9a04a

SHA256
49df3f9e1d767bd39479599ef1cfc65650c9127c9c96efc36ddf4d0467bb1716

SHA512
102c038af5e889e2f1a0590abbd585afa4860d1ace586950ce2feeed5148021b4895e2ebc53ad2a78fd5f23281086f417f1c28df64186ea2234a4894e29d72c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a0da3d87bd8510e52f28f7fe7bf6cb6c

SHA1
4ec927e454850f98f44f0e6895614e6838b8a08e

SHA256
686208590b0bf3ce53bd03dcc28d80167c64d89a5c453aa28bf0cb26f0c92bbb

SHA512
1ccbaa425c210a8c870d4f3eb411e3d3d2c2c696009a7faac05b445aeeaaf8fa9ab76da27d4ef9baaabc6bbfb93cf0bb072b591ba2655971ae10b15ce282668b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
4c023af074e12c28b519421bbf90487d

SHA1
c2ebe95404b151e95e77d51b7bef91235b9ad28f

SHA256
4f85e1c73a65bf8415537a5ff5a4f04a05d8341cb79b6a159935542cb36712cd

SHA512
3cd142e2f8f47893e31523a1ac6503dbdad30a7c2face06d837898676cd2d805f871ca8a8d89c048cfa27f185ca81a7d73fc7888e06580533bdeca59b4caaadc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
50869df2e953d604a22435bf9181707b

SHA1
91c5ec73039cbc6bda0aecb0cc9f92375f2e7295

SHA256
b2c1d733acb05acffdefd3ca2550fc92dc194814b0994461e3642f7346cd3f90

SHA512
b4a0e012024dde55f792e4d404ecac42dd27203c10d9d2a98338e195b64c4727ec9a182122e1de8ac3d6275afa764da81970864d343bf992903d74a3bc383743

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f940b8982500261d482583ad69b9c764

SHA1
3de3b6d600f9bd973a9b8760d86e550aabb50195

SHA256
783f67d555d8684a6a840eb7f158ecc9788a38e289c810aed8baa7373b270331

SHA512
75f7ceb7b351790deb66d4a068c3955fa2dce0adf7e5adc4b5395582799dfaa8f585b1e6296bc21099118f4c64e0673ac30d7741d448b7aed824c2c9628a04d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\bccbfeb3-8358-4a39-85c7-976498839499.tmp

Filesize
5KB

MD5
cd01956f66ba8395210dcccd65ce6f5a

SHA1
4ee30e494703f295daba2d0d60d022e9aefc5fba

SHA256
4d118651e472da4487ee6ac4f3e58a4c493d3b0fb111673bdd80d00c758d2e5c

SHA512
039846bacfdff4ef3198e7ee0abf7c3e1776a6dae65d7506785f4a0092a8f14a9be2a2cff37cbce7143e5c057c3002bc21c845cc8d62f71f3bf10e221eb942dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\re26ad0\imagestore.dat

Filesize
8KB

MD5
8bfa5d46233f9e4c0680671d6a240e06

SHA1
5921ff6c5cba7f54bb3c033c5d84cd56cbad445e

SHA256
857097ac4db78cd5c4b62e0a36c1c84e9c43f706b11fd3e70398aab9ed3c6a7c

SHA512
cd543d3bcc34f7e1b6dbf7a144dc9270ead3422b2f3d4d118ff0c9de70e7c49dfda39fc7dbe39569cf4f6cdca3701c52cd58ef4ed8ea13e73e0ce29ea19bd038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\qsml[1].xml

Filesize
251B

MD5
7acd807058027a08d976763e61466b82

SHA1
234f3dbf5bad8b338c981c0ff90eda79498539cd

SHA256
f948d9f9b8246206709fbff9d784d2e88e3171e21bc3f4a8cbba94dc20d6b428

SHA512
5628e0fb1a48dd911637dd6550b02c285f1461c263190f941c27f03d8bd2f47425d36a5da7e284295874c0b9194d2ee59dfc87cee3c41c927861624437a77e2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\qsml[2].xml

Filesize
228B

MD5
cb757b59a8e277c982b5eb822e578027

SHA1
b7fb5b82c7d2d6d66517a387a4c5a492afa71ab2

SHA256
81087cb6ddc00263de6f14ea0b4277438a982f695f47c7a0c7b2ea7eea651d5b

SHA512
4683759313a8a907da4a4c7c7d70e3b3d08e721d4edc354cea5dd4244ff4b8a9edc22b86b31b864a71756fa3cc21ad36792dab9ff0b5f02a5587e471c9682ae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\favicon-trans-bg-blue-mg[1].ico

Filesize
4KB

MD5
30967b1b52cb6df18a8af8fcc04f83c9

SHA1
aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588

SHA256
439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e

SHA512
7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4D8B.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp38813.WMC\allservices.xml

Filesize
546B

MD5
df03e65b8e082f24dab09c57bc9c6241

SHA1
6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf

SHA256
155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba

SHA512
ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp40076.WMC\serviceinfo.xml

Filesize
523B

MD5
d58da90d6dc51f97cb84dfbffe2b2300

SHA1
5f86b06b992a3146cb698a99932ead57a5ec4666

SHA256
93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad

SHA512
7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFE82EFA6ACCB7DEC8.TMP

Filesize
16KB

MD5
fd8a957397b28321c34656c618d16adf

SHA1
63e0f5af3289158085202b98b3a3b061c5835776

SHA256
a1f93aaf0d8f01aeec425ca94dc4da6c7c7dd9333512af0d26ce81b32f933707

SHA512
e47ca47012c7a7f21bb42fb5c689942c2ade2e253775bbda3281b24711a5c8f469cd738889a618b8a51bd4dfe993cc483b0b2879ed4069cc478ba9712905e473

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
017f65d0ee09e79ff4c9c4fb5c18649c

SHA1
a66623715ce8f0d919c707a8478d5df4613b4db6

SHA256
96a734f7c108fb4267a73d59a7be6f71c523d48a7f46b161fec829944071f399

SHA512
8a8b5248f007ef3d06603e7932f2a467eb59e29ddb91eb7afa0e8a54b504cbbcbbac0ea4116e4c7534f47ee75eded38c8dc477d2ba4fc20fd5ab1ead7fe19c35

Download Submit
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___0PY8D75J_.txt

Filesize
1KB

MD5
f091fb5a7db299b294b8cd0052aefbb6

SHA1
06471d1ec7452937459671a8361bc48b63d1a5ff

SHA256
292595dae62a8faf001b3534244e95ac9ca5b5a319f26ace6defd3dcb7c9612c

SHA512
c70d3df130c0bbcf290cdd61e869c99dc717507bc17cd7f41d6a16a45601b0044214cf58e6d7f4deab1bd891066691997896acc2813c9e2fe030e5f9ac0a3dcd

Download Submit
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___9MTGV_.hta

Filesize
75KB

MD5
3642361b308a2160ecd5c33da254c9f1

SHA1
857fd693bbef8140300716fbcd2b476c74764f33

SHA256
22880be70b39e6dceab77ccb4fa485699d8677f1de80a4fb601cc015bdcc2b98

SHA512
95bbd5de1bfc7b56186fe7476ac09e3bc2c67ceefb4f564d169c99dd89e310b5b363b6afa4c7fc4244b7c224eabc4f4f634dc6f0d15fc1577f133e628818a6ea

Download Submit
\??\pipe\crashpad_2012_LZOBVFJAACHFIYWA

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2340-2-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-1-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-90-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-51-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-0-0x00000000001B0000-0x00000000001E1000-memory.dmp

Filesize
196KB

Download
memory/2340-5-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download