Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 21:54

General

  • Target

    sigmahacks0.2.exe.i64

  • Size

    64KB

  • MD5

    ff001a4805bf038de8353ba101de60bb

  • SHA1

    b21a51bc6b012973ea6c55bc4a3afff132991a5d

  • SHA256

    96c84d6c367ac7f3ac3103c89b847536fef95778542d3231b14a99ab6e3725cb

  • SHA512

    964338a49cae369727d2c2f7e7187ef10e2642871730c6f671b05364cc253967138eaf4e005ec63dac8946e4acba7469343b21fc1f1f57c90344959f47bac23f

  • SSDEEP

    384:+ncwXM1vKOXM1vzxodEpV7ilAvZjl8VGlPPIOEPPPiPYnreqmdPPPSnh:+ncwXbOXyodOUYHOn2Hqn

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___SEDBQQ2_.txt

Family

cerber

Ransom Note
CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/97DC-9ED9-ACDA-0446-9818 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/97DC-9ED9-ACDA-0446-9818 2. http://p27dokhpz2n7nvgr.14ewqv.top/97DC-9ED9-ACDA-0446-9818 3. http://p27dokhpz2n7nvgr.14vvrc.top/97DC-9ED9-ACDA-0446-9818 4. http://p27dokhpz2n7nvgr.129p1t.top/97DC-9ED9-ACDA-0446-9818 5. http://p27dokhpz2n7nvgr.1apgrn.top/97DC-9ED9-ACDA-0446-9818 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://p27dokhpz2n7nvgr.onion/97DC-9ED9-ACDA-0446-9818

http://p27dokhpz2n7nvgr.12hygy.top/97DC-9ED9-ACDA-0446-9818

http://p27dokhpz2n7nvgr.14ewqv.top/97DC-9ED9-ACDA-0446-9818

http://p27dokhpz2n7nvgr.14vvrc.top/97DC-9ED9-ACDA-0446-9818

http://p27dokhpz2n7nvgr.129p1t.top/97DC-9ED9-ACDA-0446-9818

http://p27dokhpz2n7nvgr.1apgrn.top/97DC-9ED9-ACDA-0446-9818

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___BOEIFFM_.hta

Family

cerber

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>C&#069;&#82;BE&#82; &#82;ANSOMWA&#82;&#069;: Instructi&#111;ns</title> <HTA:APPLICATION APPLICATIONNAME="v" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">&#9745; English</a> <h1>C&#069;&#82;BE&#82; &#82;ANSOMWA&#82;&#069;</h1> <small id="title">Instructions</small> </div> <div id="languages"> <p>&#9745; Select your language</p> <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> <p>Can't yo<span class="h">6nTxGEs7E</span>u find the necessary files?<br>Is the c<span class="h">yQ</span>ontent of your files not readable?</p> <p>It is normal be<span class="h">bwm</span>cause the files' names and the data in your files have been encryp<span class="h">z</span>ted by "Ce<span class="h">UdPOy</span>r&#98;er&nbsp;Rans&#111;mware".</p> <p>It me<span class="h">cp6c</span>ans your files are NOT damage<span class="h">d5u</span>d! Your files are modified only. This modification is reversible.<br>F<span class="h">Sx</span>rom now it is not poss<span class="h">86h</span>ible to use your files until they will be decrypted.</p> <p>The only way to dec<span class="h">cIW</span>rypt your files safely is to &#98;uy the special decryption software "C<span class="h">Q</span>er&#98;er&nbsp;Decryptor".</p> <p>Any attempts to rest<span class="h">tfnTLVp14M</span>ore your files with the thir<span class="h">o</span>d-party software will be fatal for your files!</p> <hr> <p class="w331208">You can proc<span class="h">ah6L7wHCH</span>eed with purchasing of the decryption softw<span class="h">e15WXig</span>are at your personal page:</p> <p><span class="info"><span class="updating">Ple<span class="h">zWs1</span>ase wait...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/97DC-9ED9-ACDA-0446-9818" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/97DC-9ED9-ACDA-0446-9818</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/97DC-9ED9-ACDA-0446-9818" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/97DC-9ED9-ACDA-0446-9818</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/97DC-9ED9-ACDA-0446-9818" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/97DC-9ED9-ACDA-0446-9818</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/97DC-9ED9-ACDA-0446-9818" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/97DC-9ED9-ACDA-0446-9818</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/97DC-9ED9-ACDA-0446-9818" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/97DC-9ED9-ACDA-0446-9818</a></span></p> <p>If t<span class="h">hRHvokwES</span>his page cannot be opened &nbsp;<span class="button" onclick="return _url_upd_('en');">cli<span class="h">t</span>ck here</span>&nbsp; to get a new addr<span class="h">Thh</span>ess of your personal page.<br><br>If the addre<span class="h">2nO</span>ss of your personal page is the same as befo<span class="h">JUK</span>re after you tried to get a new one,<br>you c<span class="h">wnVRxj</span>an try to get a new address in one hour.</p> <p>At th<span class="h">RcQ</span>is p&#097;ge you will receive the complete instr<span class="h">SOhJ</span>uctions how to buy the decrypti<span class="h">EDXkT3</span>on software for restoring all your files.</p> <p>Also at this p&#097;ge you will be able to res<span class="h">a3fOfj32Ht</span>tore any one file for free to be sure "Cer&#98;e<span class="h">yHOFCX5</span>r&nbsp;Decryptor" will help you.</p> <hr> <p>If your per<span class="h">LTGb</span>sonal page is not availa<span class="h">WCwcCh</span>ble for a long period there is another way to open your personal page - insta<span class="h">m</span>llation and use of Tor&nbsp;Browser:</p> <ol> <li>run your Inte<span class="h">Up</span>rnet browser (if you do not know wh&#097;t it is run the Internet&nbsp;Explorer);</li> <li>ent<span class="h">C6r9u</span>er or copy the &#097;ddress <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/downlo&#097;d/download-easy.html.en</a> into the address bar of your browser &#097;nd press ENTER;</li> <li>wait for the site load<span class="h">cTSvA6v</span>ing;</li> <li>on the site you will be offered to do<span class="h">F36fOcelF</span>wnload Tor&nbsp;Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ru<span class="h">L</span>n Tor&nbsp;Browser;</li> <li>connect with the butt<span class="h">mm5nUYEM4C</span>on "Connect" (if you use the English version);</li> <li>a normal Internet bro<span class="h">T</span>wser window will be opened &#097;fter the initialization;</li> <li>type or copy the add<span class="h">WjcR39</span>ress <br><span class="info">http://p27dokhpz2n7nvgr.onion/97DC-9ED9-ACDA-0446-9818</span><br> in this browser address bar;</li> <li>pre<span class="h">3</span>ss ENTER;</li> <li>the site sho<span class="h">V0d</span>uld be loaded; if for some reason the site is not lo<span class="h">O2SC8</span>ading wait for a moment and try again.</li> </ol> <p>If you have any pr<span class="h">Vl</span>oblems during installation or use of Tor&nbsp;Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searc<span class="h">ZvZ5</span>h bar "Install Tor&nbsp;Browser Windows" and you will find a lot of training videos about Tor&nbsp;Browser installation and use.</p> <hr> <p><strong>Addit<span class="h">OY</span>ional information:</strong></p> <p>You will fi<span class="h">RwF9VBxS</span>nd the instru<span class="h">ljy</span>cti&#111;ns ("*_READ_THIS_FILE_*.hta") for re<span class="h">inrXPrKcyB</span>st&#111;ring y&#111;ur files in &#097;ny f<span class="h">HrU779tvL</span>&#111;lder with your enc<span class="h">R0GrGp</span>rypted files.</p> <p>The instr<span class="h">9</span>ucti&#111;ns "*_READ_THIS_FILE_*.hta" in the f<span class="h">WFEa</span>&#111;lder<span class="h">2UklaT</span>s with your encry<span class="h">LHfnzNwB</span>pted files are not vir<span class="h">VopFFhqAkN</span>uses! The instruc<span class="h">iOKp</span>tions "*_READ_THIS_FILE_*.hta" will he<span class="h">BGeN8</span>lp you to dec<span class="h">d</span>rypt your files.</p> <p>Remembe<span class="h">o</span>r! The w&#111;rst si<span class="h">kfaA0hMy09</span>tu&#097;tion already happ<span class="h">t0Iy</span>ened and n&#111;w the future of your files de<span class="h">YI</span>pends on your determ<span class="h">irx5S</span>ination and speed of your actions.</p> </div> <div id="ar" style="direction: rtl;"> <p>لا يمكنك العثور على الملفات الضرورية؟<br>هل محتوى الملفات غير قابل للقراءة؟</p> <p>هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cer&#98;er&nbsp;Rans&#111;mware".</p> <p>وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا.<br>ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها.</p> <p>الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cer&#98;er&nbsp;Decryptor".</p> <p>إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك!</p> <hr> <p>يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية:</p> <p><span class="info"><span class="updating">أرجو الإنتظار...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/97DC-9ED9-ACDA-0446-9818" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/97DC-9ED9-ACDA-0446-9818</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/97DC-9ED9-ACDA-0446-9818" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/97DC-9ED9-ACDA-0446-9818</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/97DC-9ED9-ACDA-0446-9818" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/97DC-9ED9-ACDA-0446-9818</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/97DC-9ED9-ACDA-0446-9818" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/97DC-9ED9-ACDA-0446-9818</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/97DC-9ED9-ACDA-0446-9818" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/97DC-9ED9-ACDA-0446-9818</a></span></p> <p>في حالة تعذر فتح هذه الصفحة &nbsp;<span class="button" onclick="return _url_upd_('ar');">انقر هنا</span>&nbsp; لإنشاء عنوان جديد لصفحتك الشخصية.</p> <p>في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك.</p> <p>في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cer&#98;er&nbsp;Decryptor" سوف يساعدك.</p> <hr> <p>إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor:</p> <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان <br><span class="info">http://p27dokhpz2n7nvgr.onion/97DC-9ED9-ACDA-0446-9818</span><br> في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> <p>إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه.</p> <hr> <p><strong>معلومات إض<span class="h">zvOGAGj</span>افية:</strong></p> <p>س<span class="h">HJyPBA1</span>وف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة.</p> <p>الإرش<span class="h">R</span>ادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك.</p> <p>تذكر أن أسوأ مو<span class="h">jQxRhfzIS</span>قف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك.</p> </div> <div id="zh"> <p>您找不到所需的文件?<br>您文件的内容无法阅读?</p> <p>这是正常的,因为您文件的文件名和数据已经被“Cer&#98;er&nbsp;Rans&#111;mware”加密了。</p> <p>这意味着您的文件并没有损坏!您的文件只是被修改了,这个修改是可逆的,解密之前您无法使用��

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (1122) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Drops startup file 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 5 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 43 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\sigmahacks0.2.exe.i64
    1⤵
    • Modifies registry class
    PID:428
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2596
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa84b0ab58,0x7ffa84b0ab68,0x7ffa84b0ab78
      2⤵
        PID:5104
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:2
        2⤵
          PID:3672
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:8
          2⤵
            PID:232
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:8
            2⤵
              PID:4936
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:1
              2⤵
                PID:3432
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:1
                2⤵
                  PID:4400
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4324 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:1
                  2⤵
                    PID:1104
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:8
                    2⤵
                      PID:2076
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:8
                      2⤵
                        PID:2508
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4156 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:8
                        2⤵
                          PID:3516
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4956 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:8
                          2⤵
                            PID:968
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:8
                            2⤵
                              PID:3992
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5076 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:1
                              2⤵
                                PID:1780
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4068 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:8
                                2⤵
                                  PID:1464
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4296 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:8
                                  2⤵
                                    PID:1352
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3332 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:8
                                    2⤵
                                      PID:5016
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2640 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:1
                                      2⤵
                                        PID:916
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3056 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:8
                                        2⤵
                                          PID:3920
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:8
                                          2⤵
                                            PID:4016
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:8
                                            2⤵
                                              PID:3392
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3160 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:2
                                              2⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:1280
                                          • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                            "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                            1⤵
                                              PID:1916
                                            • C:\Windows\System32\rundll32.exe
                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                              1⤵
                                                PID:2280
                                              • C:\Windows\system32\OpenWith.exe
                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                1⤵
                                                • Modifies registry class
                                                • Suspicious use of SetWindowsHookEx
                                                PID:4416
                                              • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Cerber.zip\cerber.exe
                                                "C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Cerber.zip\cerber.exe"
                                                1⤵
                                                • Drops startup file
                                                • Drops file in System32 directory
                                                • Sets desktop wallpaper using registry
                                                • Drops file in Program Files directory
                                                • Drops file in Windows directory
                                                • Modifies registry class
                                                PID:3952
                                                • C:\Windows\SysWOW64\netsh.exe
                                                  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
                                                  2⤵
                                                  • Modifies Windows Firewall
                                                  PID:3924
                                                • C:\Windows\SysWOW64\netsh.exe
                                                  C:\Windows\system32\netsh.exe advfirewall reset
                                                  2⤵
                                                  • Modifies Windows Firewall
                                                  PID:2480
                                                • C:\Windows\SysWOW64\mshta.exe
                                                  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___65AG_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                  2⤵
                                                    PID:1524
                                                  • C:\Windows\SysWOW64\NOTEPAD.EXE
                                                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___HM18A_.txt
                                                    2⤵
                                                    • Opens file in notepad (likely ransom note)
                                                    PID:4884

                                                Network

                                                MITRE ATT&CK Matrix ATT&CK v13

                                                Persistence

                                                Create or Modify System Process

                                                1
                                                T1543

                                                Windows Service

                                                1
                                                T1543.003

                                                Privilege Escalation

                                                Create or Modify System Process

                                                1
                                                T1543

                                                Windows Service

                                                1
                                                T1543.003

                                                Defense Evasion

                                                Impair Defenses

                                                1
                                                T1562

                                                Disable or Modify System Firewall

                                                1
                                                T1562.004

                                                Modify Registry

                                                1
                                                T1112

                                                Discovery

                                                Network Service Discovery

                                                1
                                                T1046

                                                System Information Discovery

                                                2
                                                T1082

                                                Query Registry

                                                1
                                                T1012

                                                Command and Control

                                                Web Service

                                                1
                                                T1102

                                                Impact

                                                Defacement

                                                1
                                                T1491

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                  Filesize

                                                  2KB

                                                  MD5

                                                  ee73f402bce79bffa75943cab58740e1

                                                  SHA1

                                                  f3cef191a95e116d010e9891d25e99801735b297

                                                  SHA256

                                                  c82f2285792343f2f073031e85075785c933019220c4a8f84827e87907cce316

                                                  SHA512

                                                  8c2e871d038cb083a1631f174efcfe098661feae77aee697caef58abdb626c04e85900e3256c6e8916a4d88634640ecde5a620cd64541f15d2ecc3f8e4521c7f

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
                                                  Filesize

                                                  264KB

                                                  MD5

                                                  01fdbac6920416919a4e5a232ec3aaa9

                                                  SHA1

                                                  44a59ea51eb3c50cdfa7b10fbde3daaab0225111

                                                  SHA256

                                                  238b24d50effa0ebb2cef88ad48357d4f0e44670c6e8326cf7bda3c113c81f8c

                                                  SHA512

                                                  163d47bd40b01ddcab713a2715b9566b40cc1930abff96c150642f5c0ac082eba1a1104080f48891677a1c25d9b56a26453cb6b586add98a62ce8d26e0d13754

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                                  Filesize

                                                  2KB

                                                  MD5

                                                  540ed1719b5a1fcaac0541c757015077

                                                  SHA1

                                                  60d68e4c476e1f2bfc52f0b4c62d53375c56fe67

                                                  SHA256

                                                  ed02ff7bfc3f634361616053da448310e5c7a15e09db1570aa5346873892c996

                                                  SHA512

                                                  86e56644fcfe61746427d03b42e22c87d8952a9f50e481ae1df3e6a53d377904618f848d47ba04e66f51b5ed42e550270a395fff861116e04e6944c7658c473c

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                                  Filesize

                                                  3KB

                                                  MD5

                                                  99690de321a99836d27adab98133f989

                                                  SHA1

                                                  aa578914d9afe81b00ca04ac5db97c44c42571bd

                                                  SHA256

                                                  28d08bd18617432bf2a1679d29bebd8b02126a6f143f7b0fdc59f3f8074441f3

                                                  SHA512

                                                  a43566cef694814e716d138ea18ac779e861dae43c4c1d3ccff687f351760d8d163c2fdf3cab1d4c37b3e07dd5f0448a3fb1a6bec2a1dd6bd15d7dbf1403a80c

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                  Filesize

                                                  2B

                                                  MD5

                                                  d751713988987e9331980363e24189ce

                                                  SHA1

                                                  97d170e1550eee4afc0af065b78cda302a97674c

                                                  SHA256

                                                  4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                  SHA512

                                                  b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                  Filesize

                                                  356B

                                                  MD5

                                                  e1c0f794711116d1c7a2f4df8afac461

                                                  SHA1

                                                  975eb3f1e9acddbe330223b36a0690a2f0ceeca4

                                                  SHA256

                                                  1f6ee21fd4b2faa1f7a68e6832c0a1ad358eb3f30c427e1d48a195358fbf6ead

                                                  SHA512

                                                  179814a8899c0ff2d5f4ef0fd4759e237464943414e40cd90bf1dd575dd1b551a21f291b03d0d06b2f09df8ba49ffec1f31919b95e18b951367b24ca9cd2a7eb

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                  Filesize

                                                  356B

                                                  MD5

                                                  ed91981cb29111658c161c7632139c4f

                                                  SHA1

                                                  0c9dbfc81bd7a17f5c08608def7e8248af1cd5f8

                                                  SHA256

                                                  ce9f9020599799d048fff28a46fe27674117f5751b73d6881145ed6ee2b5052c

                                                  SHA512

                                                  61b0736f2f0f98f881824aaf2c352717e0771705516296930e831c3519c93b6130bff0227ebf9959cd84c454fe6405cba7e109d2182552e29c974e14e73e328f

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                  Filesize

                                                  356B

                                                  MD5

                                                  d84aaae6d2869f95c373abb53fe71e78

                                                  SHA1

                                                  f7eb43349ca608507c76dcd4b85086627e1fd965

                                                  SHA256

                                                  22089b8638a7b2a5cd27860cda78e7c0d9c8f4dc15ada021318479201ca70265

                                                  SHA512

                                                  b8a214d3daa001f09d3bf41ff7222e78d1e40dbb30906058a1c575240ba3858e653dc15ff54cf09d15721ed9a548729446cbb486ba0c1b15d42e2d6cf8366cc8

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  68c1ecdb7901fef80d096eb828310770

                                                  SHA1

                                                  9c164d1bb45a97b69d842911b0795b19830d222e

                                                  SHA256

                                                  bad324962d21706a5cf63cae170a4cbaddd6b5e49ba4b8de875ce3c2521ffcc0

                                                  SHA512

                                                  d6566688de15c64cf4823bf4bf42ba4fee56c69ae35819a83b9cc9348478c072c80a12c51b8a9e40574735e0f43bcc34d313a8cd804cbc0902730f0c3a38d8b9

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  c558f3163044e9652e2d293566823f86

                                                  SHA1

                                                  3051f9cbc27bff11fe728f8f24ddf1fa80c1af59

                                                  SHA256

                                                  8816a57c1bff0c06acc0744a3dd3cf5fbb2d3af37d3940ac1d5cca64940f9cef

                                                  SHA512

                                                  2ddd851cb79d5e494022ef761d405ae269dc467bb006e06b1e099435ca79e638fc6d10927c595538df62f4350a7e8d8810977ada690be6cef72cd2c6e3964b6d

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                  Filesize

                                                  7KB

                                                  MD5

                                                  28c6007c84be51f23aa8255088409856

                                                  SHA1

                                                  498102f49797962888701cf0728db8594b1bae43

                                                  SHA256

                                                  d0c025551fa7216a69c1026f8be8612e15c4df7adfcc986f66d9cba33ade05ed

                                                  SHA512

                                                  3651ba51861a5412437ed679066c4c617c662ffe8141da95a93969f6fec5b96750a0bd3d4d84e887698222238e6bf4545ced52b2f6bd15c98a11e57226fad793

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                  Filesize

                                                  7KB

                                                  MD5

                                                  dd5cf50160b6677d473c0b183857aa43

                                                  SHA1

                                                  6840a922d876c790df0f58f8437769a44c111375

                                                  SHA256

                                                  6e06416ebc8273f422f6dd062bd8450ebdc625a1bf604735d2015fe565ff03ef

                                                  SHA512

                                                  e0a1143476b4e408a45f14b6a154034103e8f0ca011d109f958517daacac2cd78f1f7892c7a0aecd3fef08529b2ebb80b5c1bd264e8e8bad81d04f5ecaddfc32

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                  Filesize

                                                  7KB

                                                  MD5

                                                  75aa3edab9d23f8a7e6367c68547fd5e

                                                  SHA1

                                                  de4313dde6d17368984b42aa9ae8fe052cce4b83

                                                  SHA256

                                                  62daf581c79fd17fb91cf8a95d822fdcc18335b33ad1a760f6a45489fc691f2b

                                                  SHA512

                                                  82b112c4913be5e5340d3d83d12eec67f7da77170f740b39bde6b5d47ebed19a45b67e27e609e487be4aded9fac81fa297dff6a9a792a442716062e7d1a905d5

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                  Filesize

                                                  8KB

                                                  MD5

                                                  39c71701101cc1b5c393cbdd3258452f

                                                  SHA1

                                                  96c9ea260e4c3042ef45d5105900410e92bfb4ce

                                                  SHA256

                                                  cc5430f9488c2d10c39387cb68312fc181b68d337587f6178ed953b037b1dee2

                                                  SHA512

                                                  5939c726a1daddcfb33c827dc2f7220347df580bf5fa21a3ff155b469e909d23d6baf8055420a69cc6077f5f174583ff4399d20d913973cd9c9533a3879e2085

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                  Filesize

                                                  6KB

                                                  MD5

                                                  56a15ea801c35d9b4a7c11c5619c2646

                                                  SHA1

                                                  f937f48d176c7ec2012a0bb7f9e882aaa1009315

                                                  SHA256

                                                  cdcaabccf08bcd87a4762f00a853990ae152121420fcc7a746a507b210b04707

                                                  SHA512

                                                  1d59797abb79715da49066fb8e3df7e7193affb7ee823653c4ebf27eaf037ce5943a865a56898b63469f2b7e4d7566e66d70d529ceb1134d47ef3f9cd7bc3101

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                                  Filesize

                                                  16KB

                                                  MD5

                                                  f066328395012937058a5e0a78143458

                                                  SHA1

                                                  5197b10c4a783fb5873d86250cf02ee243fed60e

                                                  SHA256

                                                  a6b993eace0bcc03b781cb68b7a6f73c370adc0c22c51b7f8bbbccee910ed5fa

                                                  SHA512

                                                  9e5daa5b5f17ac685f7bba891c949a5181c994d0c0cb32aaf6a03e54d6287e05eaeebbb792a05fc5bb61b4a86470393297ded8d07e0024022735855e9ee22a6a

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                  Filesize

                                                  261KB

                                                  MD5

                                                  f1ec19eb0a3d749c42d257d6e82e7eb0

                                                  SHA1

                                                  a73c746138f9381e1e62ced65c14a429eb00ef60

                                                  SHA256

                                                  47718f004d5e1489428de13b7d25effbded61be4f85e8e2931a8e9feebb56de5

                                                  SHA512

                                                  d960d1cc34e2da2c418c65d93ad706eade7137f2007f4c6e1f4bf75119271bcf74bf177712b9e5672f45f64043c4540bee5eb735addad959dc4a4aa58fb18507

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                  Filesize

                                                  261KB

                                                  MD5

                                                  3b3a405fe571848627c35d66393f3eb9

                                                  SHA1

                                                  0798afbb15902aa085fba9bff5663b586443d22a

                                                  SHA256

                                                  12f0cc540a02a23842573c3cb2140005097c96678ed5147d2b109795609ccfad

                                                  SHA512

                                                  d879c26762b8cc2a81007b4fc968e830c4a6db53fdb9c99bd217376b41a861d79400e27dc312ae5d1837e521048bf495d422af8419ddb82b4896f60e4dec740b

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                  Filesize

                                                  281KB

                                                  MD5

                                                  444a75b9adae318394404458df90f7df

                                                  SHA1

                                                  415e498ab0687fc0461866aea0a152ea12cda28e

                                                  SHA256

                                                  2d24bdb6e2f48776289ed66a85887077de79ba2593fa4075afa139963193cf7d

                                                  SHA512

                                                  6d757f3a4394064b8c08c67307ad1c1a3c039af902234673814c49dc9041f9b289c00ada421a4d91f419fd8c21767ca4efff7ec2999397e70d559cfe5097ce92

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                  Filesize

                                                  257KB

                                                  MD5

                                                  de606f2b777c400cbfa8ea10dce2faaf

                                                  SHA1

                                                  ccd27cb51e46f47406ad0f76e5029a8bba297937

                                                  SHA256

                                                  f379a136b2fbc1769f81eafd1465ebd1f93089762df358f9489a8fece4b63e49

                                                  SHA512

                                                  4a55f1d31044d9bd8adc356895af99dc2b5f252a6448016cc40377d09d87d81bd2aa45ea419b89057256aa9e3cab58e80b10ef27cc0da226f4526f33693b0d7b

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                  Filesize

                                                  261KB

                                                  MD5

                                                  6bf13d87ed7fedbe7339b1f67ae85d78

                                                  SHA1

                                                  2ab6eecfda0cfd4b11ad756c4f4502875b6788f5

                                                  SHA256

                                                  9d30d7f42a098a24c714f83cf890c17e9625cf8ce8190526b4a03ba6e0b01837

                                                  SHA512

                                                  681c24c78b2fd0167d7c64fb7b4e7924ef548c7245eb708c3618355d64bc50910d1544f55e0f308281ba3d4af707e076797c00951c7cc2a05d4d137d205e5803

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                  Filesize

                                                  272KB

                                                  MD5

                                                  8f29ba88746829208032fc475ec247da

                                                  SHA1

                                                  d9b3946c1734d348e4a890d24563fc8652585dbc

                                                  SHA256

                                                  a84798c03932e26dc761929c995c1a830994fa0994b5f5ea9f7e3d6d9cc257c1

                                                  SHA512

                                                  6633e12a85c7f53935bec4c81490e709c7df334ec7d08b1cc0710e271654bb05c85e4630293e9cec906339e1617eec3b934b538259dc6d41b611ecf2603c7382

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
                                                  Filesize

                                                  91KB

                                                  MD5

                                                  61413c051a8d74f4452a9327be9aefea

                                                  SHA1

                                                  7adf278a48249ad70122c9503ce51b5a3265a256

                                                  SHA256

                                                  3af44ef2980c56963945c43365ed239036fd72069b63dd482723d2692b765e72

                                                  SHA512

                                                  e2fdcdf3a5911c51807acfaa79d4ecc32b2c709a9b43deeddd0563e4b97db4a58a3f861e4e403a5becd0c487df271de49bfd7a4e4b3a357201252c951531ed14

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
                                                  Filesize

                                                  100KB

                                                  MD5

                                                  bfca4ac06e3e24196cf9ae1e0bee8dd3

                                                  SHA1

                                                  d61752ca0031fed53013a27811da3180f4b4459e

                                                  SHA256

                                                  1a179e866b3d4c898b7be94af8859981c4ca73b58763d9fd48b26ed529812a74

                                                  SHA512

                                                  e04bdbd0f8e6c17e19595661edb66018d47873c9bc469e7b1c8f53da2e2bba1e7a95e076005f8ead29b6299ff1153f15b179f2be3d20e1857cab3140e8fa4e95

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f8e7.TMP
                                                  Filesize

                                                  88KB

                                                  MD5

                                                  74b6c5072bb19aabc934d8b96d9d2672

                                                  SHA1

                                                  ca4e1ebd27af419bd987f44cd7a8edfd5c1abe96

                                                  SHA256

                                                  cdf6cdbecabc2f906a92128c8ba6309f6c3bcafb5cfa052ae25b99288aa82159

                                                  SHA512

                                                  c71f085c5b6eb86229826bb969fabb45220260c93aa586700df1fc0b75abd85990698b87726ad9466e360f5c8081b0b4b588bef62b3da383b18499b210714328

                                                • C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___BOEIFFM_.hta
                                                  Filesize

                                                  75KB

                                                  MD5

                                                  218e104ae708218147e3bc1781dbf373

                                                  SHA1

                                                  21f6a15853c2cd766a219e36576a7e190fcef184

                                                  SHA256

                                                  5e219da49cce13a37a620eeaf85a1793fda45e828a7d28af5110c98ef8a508e5

                                                  SHA512

                                                  60a82bb63751f732e9d2debb94134a559efa8850db02208fc6f5e3e336015ac5c592f0b3be7e90de536b282bcc1a4243a0c579ca6940725b3c40cf89f9411382

                                                • C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___SEDBQQ2_.txt
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  2c1fd7cad6bacf7d2017f7026d393d48

                                                  SHA1

                                                  54c5802aadde0ef162e4be5f3187f43ed0de0357

                                                  SHA256

                                                  b06eb6df0817cfd9d2da564608736f5c9488dedb38b7e59d381b15d43928273c

                                                  SHA512

                                                  e9be47a1b409fc94b133cc8fbf1c18ac5c6a761690eada7c3efa4a6009695f9201fb23d7db0435df2282937cb49d5c388e1204a93cad48a0bb90e42dbfc315c1

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
                                                  Filesize

                                                  28KB

                                                  MD5

                                                  f8ff5f3fa2f7cd9ddaa3fd8d97c0aaf5

                                                  SHA1

                                                  44553d71e9b8ad15e6fe199afed8b3b29e728ec2

                                                  SHA256

                                                  47333b10d35f07bc49b413de2e6dcfbf0226553cafebfd2959e44aa1435b5d1a

                                                  SHA512

                                                  9cfb4f4b90a72e0b24fa3b3374481d454e8ea3334ca2cac486a43b19bed15dfadc1fa9d267373ad453a0717df271c78196c2e84a1609c3c6f944e7e842a80275

                                                • C:\Users\Admin\Downloads\Ransomware-Samples-main.zip.crdownload
                                                  Filesize

                                                  15.1MB

                                                  MD5

                                                  e88a0140466c45348c7b482bb3e103df

                                                  SHA1

                                                  c59741da45f77ed2350c72055c7b3d96afd4bfc1

                                                  SHA256

                                                  bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7

                                                  SHA512

                                                  2dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431

                                                • \??\pipe\crashpad_2576_GCROWZRSXVCWMFJZ
                                                  MD5

                                                  d41d8cd98f00b204e9800998ecf8427e

                                                  SHA1

                                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                  SHA256

                                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                  SHA512

                                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                • memory/3952-410-0x0000000000400000-0x0000000000435000-memory.dmp
                                                  Filesize

                                                  212KB

                                                • memory/3952-406-0x0000000000400000-0x0000000000435000-memory.dmp
                                                  Filesize

                                                  212KB

                                                • memory/3952-403-0x0000000000400000-0x0000000000435000-memory.dmp
                                                  Filesize

                                                  212KB

                                                • memory/3952-859-0x0000000000400000-0x0000000000435000-memory.dmp
                                                  Filesize

                                                  212KB