cerber | c248467a7f175bd448032d2228a439ae7152bb106918918961720eadf2234804

Analysis

max time kernel
303s
max time network
308s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
08-07-2024 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

competitive_ilyasessar (16).ovpn
Size

3KB
MD5

08cf571929908df11a7b710b8fc7faaa
SHA1

97838cf63d4521b890f66dc694e9e759b15147b1
SHA256

c248467a7f175bd448032d2228a439ae7152bb106918918961720eadf2234804
SHA512

4cd77db09ad0599b203192d64db348dcad8f932f388fcc4b7f869387f22c600750060525f29482ff3be712e4d34bd5099afaf0f57a4564e5d5f59971d40df0e7

Score

10^/10

cerber discovery evasion persistence privilege_escalation ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___UYPLF_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/BBDC-FC6E-EFB2-0446-9C58 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/BBDC-FC6E-EFB2-0446-9C58 2. http://p27dokhpz2n7nvgr.14ewqv.top/BBDC-FC6E-EFB2-0446-9C58 3. http://p27dokhpz2n7nvgr.14vvrc.top/BBDC-FC6E-EFB2-0446-9C58 4. http://p27dokhpz2n7nvgr.129p1t.top/BBDC-FC6E-EFB2-0446-9C58 5. http://p27dokhpz2n7nvgr.1apgrn.top/BBDC-FC6E-EFB2-0446-9C58 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://p27dokhpz2n7nvgr.onion/BBDC-FC6E-EFB2-0446-9C58

http://p27dokhpz2n7nvgr.12hygy.top/BBDC-FC6E-EFB2-0446-9C58

http://p27dokhpz2n7nvgr.14ewqv.top/BBDC-FC6E-EFB2-0446-9C58

http://p27dokhpz2n7nvgr.14vvrc.top/BBDC-FC6E-EFB2-0446-9C58

http://p27dokhpz2n7nvgr.129p1t.top/BBDC-FC6E-EFB2-0446-9C58

http://p27dokhpz2n7nvgr.1apgrn.top/BBDC-FC6E-EFB2-0446-9C58

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___P4561A90_.hta

Family

cerber

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>CERBER RANSOMWARE: Instructions</title> <HTA:APPLICATION APPLICATIONNAME="z5L0TxsZp" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a> <h1>CERBER RANSOMWARE</h1> Instructions </div> <div id="languages"> ☑ Select your language <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> Can't yoiyhioiu find the necessary files? Is the cNH2O1Vontent of your files not readable? It is normal befcause the files' names and the data in your files have been encrypITmhntted by "CedTNMrber Ransomware". It mewkd3f5Eans your files are NOT damagecA6wKROod! Your files are modified only. This modification is reversible. Frby8qMdrom now it is not possrxgzn1iXUible to use your files until they will be decrypted. The only way to decwweeO9PGrypt your files safely is to buy the special decryption software "Cnq30erber Decryptor". Any attempts to restih91Q5csore your files with the thirEdd-party software will be fatal for your files! <hr> You can procyAeed with purchasing of the decryption softwcXare at your personal page: Pleqfzgase wait...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/BBDC-FC6E-EFB2-0446-9C58" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/BBDC-FC6E-EFB2-0446-9C58</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/BBDC-FC6E-EFB2-0446-9C58" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/BBDC-FC6E-EFB2-0446-9C58</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/BBDC-FC6E-EFB2-0446-9C58" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/BBDC-FC6E-EFB2-0446-9C58</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/BBDC-FC6E-EFB2-0446-9C58" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/BBDC-FC6E-EFB2-0446-9C58</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/BBDC-FC6E-EFB2-0446-9C58" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/BBDC-FC6E-EFB2-0446-9C58</a> If tZpmHrSjhis page cannot be opened  cliRQmCGLck here  to get a new addrkess of your personal page. If the addrexn1Xth3Xss of your personal page is the same as befonHhXyeNtre after you tried to get a new one, you chEN0E53JOan try to get a new address in one hour. At thLhVNfkKK9vis page you will receive the complete instrJ03hkDfbDuctions how to buy the decryptib1RcDon software for restoring all your files. Also at this page you will be able to res3eGJtore any one file for free to be sure "CerbeM6r Decryptor" will help you. <hr> If your perMsonal page is not availa68NI25sble for a long period there is another way to open your personal page - instawllation and use of Tor Browser: <ol> <li>run your Inte9CieBFGXrnet browser (if you do not know what it is run the Internet Explorer);</li> <li>entnJfwer or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loadwArUcqW3ing;</li> <li>on the site you will be offered to doWAhtuYeYwnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ruGtKrn Tor Browser;</li> <li>connect with the buttWz9Eon "Connect" (if you use the English version);</li> <li>a normal Internet brolYZhJwser window will be opened after the initialization;</li> <li>type or copy the addAiress http://p27dokhpz2n7nvgr.onion/BBDC-FC6E-EFB2-0446-9C58 in this browser address bar;</li> <li>pre6sGak1EDYss ENTER;</li> <li>the site sho7Zrjuld be loaded; if for some reason the site is not loC7fjPBnhlading wait for a moment and try again.</li> </ol> If you have any prqoblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searcDQrNSKGP1Mh bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use. <hr> AdditGLrGional information: You will fiRPY5LUHKhnd the instruty0qR7Zctions ("*_READ_THIS_FILE_*.hta") for reLnstoring your files in any fwWolder with your encx2LKa9p1Rurypted files. The instr1UIuctions "*_READ_THIS_FILE_*.hta" in the fr5CmoldercuKCdgks with your encryhRXlUONLSpted files are not vireUuses! The instrucfq5zGTjgtions "*_READ_THIS_FILE_*.hta" will he4L4dRGBlp you to decIfrypt your files. RemembexG4tKr! The worst siqCu9CBtuation already happfCGxdRWened and now the future of your files de54wgpUnSpends on your determL4ubdJKination and speed of your actions. </div> <div id="ar" style="direction: rtl;"> لا يمكنك العثور على الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟ هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware". وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها. الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor". إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك! <hr> يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية: أرجو الإنتظار...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/BBDC-FC6E-EFB2-0446-9C58" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/BBDC-FC6E-EFB2-0446-9C58</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/BBDC-FC6E-EFB2-0446-9C58" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/BBDC-FC6E-EFB2-0446-9C58</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/BBDC-FC6E-EFB2-0446-9C58" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/BBDC-FC6E-EFB2-0446-9C58</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/BBDC-FC6E-EFB2-0446-9C58" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/BBDC-FC6E-EFB2-0446-9C58</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/BBDC-FC6E-EFB2-0446-9C58" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/BBDC-FC6E-EFB2-0446-9C58</a> في حالة تعذر فتح هذه الصفحة  انقر هنا  لإنشاء عنوان جديد لصفحتك الشخصية. في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك. في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك. <hr> إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor: <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان http://p27dokhpz2n7nvgr.onion/BBDC-FC6E-EFB2-0446-9C58 في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه. <hr> معلومات إض3افية: سNIXوف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة. الإرشU9mlادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك. تذكر أن أسوأ موpWقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك. </div> <div id="zh"> 您找不到所需的文件？ 您文件的内容无法阅读？ 这是正常的，因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。 这意味着您的文件并没有损坏！您的文件只是被修改了，这

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (1109) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1372	netsh.exe
1752	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	cerber.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
55	raw.githubusercontent.com

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	cerber.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpF653.bmp"	cerber.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\steam	cerber.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\program files\	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\the bat!	cerber.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	cerber.exe
File opened for modification	\??\c:\program files (x86)\	cerber.exe
File opened for modification	\??\c:\program files (x86)\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	cerber.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	C:\Windows\SysWOW64	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	cerber.exe
File opened for modification	\??\c:\windows\	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	cerber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133649339647013535"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000_Classes\Local Settings	cerber.exe
Key created	\REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Ransomware.Cerber.zip:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1932	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3776	chrome.exe
3776	chrome.exe
4676	chrome.exe
4676	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4100	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 2476	3776	chrome.exe	87
PID 3776 wrote to memory of 2476	3776	chrome.exe	87
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 4900	3776	chrome.exe	88
PID 3776 wrote to memory of 888	3776	chrome.exe	89
PID 3776 wrote to memory of 888	3776	chrome.exe	89
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90
PID 3776 wrote to memory of 3180	3776	chrome.exe	90

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\competitive_ilyasessar (16).ovpn"
1⤵
- Modifies registry class
PID:4972

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd60c5ab58,0x7ffd60c5ab68,0x7ffd60c5ab78
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1792,i,15074514309602194906,17686343724559905066,131072 /prefetch:2
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1792,i,15074514309602194906,17686343724559905066,131072 /prefetch:8
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1792,i,15074514309602194906,17686343724559905066,131072 /prefetch:8
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1792,i,15074514309602194906,17686343724559905066,131072 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1792,i,15074514309602194906,17686343724559905066,131072 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3484 --field-trial-handle=1792,i,15074514309602194906,17686343724559905066,131072 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1792,i,15074514309602194906,17686343724559905066,131072 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4724 --field-trial-handle=1792,i,15074514309602194906,17686343724559905066,131072 /prefetch:8
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1792,i,15074514309602194906,17686343724559905066,131072 /prefetch:8
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1792,i,15074514309602194906,17686343724559905066,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2696 --field-trial-handle=1792,i,15074514309602194906,17686343724559905066,131072 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1484 --field-trial-handle=1792,i,15074514309602194906,17686343724559905066,131072 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3420 --field-trial-handle=1792,i,15074514309602194906,17686343724559905066,131072 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4776 --field-trial-handle=1792,i,15074514309602194906,17686343724559905066,131072 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1792,i,15074514309602194906,17686343724559905066,131072 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1792,i,15074514309602194906,17686343724559905066,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4604

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4040

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Cerber.zip\cerber.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Cerber.zip\cerber.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1928
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:1372
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:1752
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___2HCKF0NO_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:472
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___MNTZ52W_.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
1b0656b630e53e111a40c4acdb1461e6

SHA1
0fcd94f793d8a1956e63bd48dbcb8ee896aeb71d

SHA256
8a9e0f280ebc4ad4d76d43fd52a245eae484074ea58f34bf3dcd253057735d36

SHA512
b7664dd9b1724ce96fbebe1b9e8c11646cf805866208ba9552fe5ac6bfba5f4ed9062f4d82d62b1aea726570833f1cb3a83314b467e115b50407d26bfa63ea4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
aba465fa6338d8a0d14e03a6b2e11081

SHA1
dfd9185bc596575603ddff9acb57500f4f0ea727

SHA256
bdbfec48225be1c98c012a5aea114c72df964a147e3154c48c2c2c753e23a4d2

SHA512
01adcf385a5505ab00aaaf071a1151b1b23b8f73efed8b3f0a5e197de48d62749dbe0a58671127898078ee85ba219cb5834f2732bcda4d83cb098a45d2fd6e29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
32ea92998660b25ddc0dc9db4093409d

SHA1
d509fb55e535d975ea4d291138f14de38edbe993

SHA256
729e0ac4bca55c132ea093d8022688c5ac919a94c7cfad5258ff2468ca949f40

SHA512
2a2f24373386af5d0cbd4fa9a010c74f9b388145e6a51a2cfbbd07f70ba262795db38b27e857ddf9a6a93053400b34e4853a151369421f050f539f3a488715ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2e4ade96287ad60fa7ffaa1e20617747

SHA1
f6aa3968d5591b914311b07c150d89c345ca4da4

SHA256
449f5113ddd5a054a9aa91abf804b1dd810347542e5db95b9fcb03622e88c680

SHA512
280c3ccbf3a20ada4f22baa6fd0ede69ed9f71c2bbaacacba5971fdbbe6658194bddddca31894b07cd4638b2aa0703303bc1d387c86c14025780dd82d93e45b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
21cc5737b783ba7985445fa00928927b

SHA1
b30dfdd416a6136dbb1e4d75fa8594764da9264f

SHA256
5dbcafde32e88c023597037b14c1142971fe87bf289eb8b1e81b9baf200ababd

SHA512
01c9990f27e48ce4ad86436f66f6d891e1dcb4cbbb5506fc270254388297f969b20507194f7be07b86eaacf21712267a155dae3d0f85b975eaac090bc08da597

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f89e328133d0d7766e81f7fc2f9132d5

SHA1
feab625abaab82a095fa0ddec37cf7b2f58fe54e

SHA256
0adc29f910fa53bff66dc9c1e00dc172bb8df2fab090fc5d9db91bdaf4f33ca7

SHA512
8543b00dc325b0c8c4bf1eb2e90f2236524da2cbc8dfa8ec9075c1bac2ab2d8369a6b14ff7e247a7d256651c71481c3ebc826d55fd9e3c4ace3040366e157687

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6d581235491386b6dea958729b6ba3da

SHA1
cc94182314c8466e081e8786d8b4f0a54dde9294

SHA256
4564acaad5fcec2218f00294c70e5438f9f8a72c497a9bfbfdb4d03810dd0246

SHA512
94feafcb3080684cc0d3c7cde09a41d8989b35b742ec4b6a613f049aeffa21e11e22c71c4565b63616450ccbf5a26ce11201d4999769d7af4deae53662d903fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1fdbc9bacc38c272aae7730de78bdf09

SHA1
ed36faaeca1b00bcac98ddce8bcddcc96ad323b3

SHA256
57700a2319a2ee88d5d8c978fdcf2b9e4cbb6179cb04b204985d01f98bf198c4

SHA512
e821a295513f2cb62278bf8bf3a536866b178ba6565c8938615d692e3b633335141218d3add3bf0f4ff52a4310baf9a503b3ab5fc4af645188f20494432e6807

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1d888056e117cd089f4e89a65372e9e6

SHA1
9685d6b408b83a24d1c51a267a003da2cd88fadc

SHA256
b5d8ea87883f622799c450d0ebfffe7c014d5437486ac240ddb67b3372763444

SHA512
500a3cd0ac4920f6b74330eb16b3e2bfe33bc9158b3d0f32ad23330bbc14445d5a16902947b7288353025d9e02af0544e61c6583e3815507faa6f92d54a12e42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5e02b3fc573b5d1799a51d092e7bf4d9

SHA1
8d84fdc055b5882e253b1ca74dcd48b47ef0a9b9

SHA256
a686a8fc6a257aa25db81f10b3a544ce02978de6c1a2623bc37388a11718f109

SHA512
35f2889dc7d5d681a9365c588dcf2e48d55328c4dadfd52f39118348f421b17e01a8edfed2a2f34777a87486cc3ea01b9bae7ee899b17f90216ef8540e2cd507

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
67a46dacfb14379550054df3a04fe5db

SHA1
b42fcc369a194ea7d0864c0bced2b774b137e1ae

SHA256
93616cc1d5e3cfe2f526676ce7004c568a949977c31eeddb2926b224dd5ba359

SHA512
dcf8454fa909dee16299983071518d12cae91a9ffec1b9b84b1e5907c70ed0e78cc43448e2a8f879f23b2b2f96d00870da55cb3955f3f1fc6ab1dddfb3e22fc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7407375ed374c9839b59d119b2f817db

SHA1
d9ec36040f734e11322a10363c2316413731f8f8

SHA256
a42162e8a493097b885425dcf734f271f62a80e167828a50d8cee395beaac680

SHA512
69340f72365cd1c96f1c2cbe41bf00293403c69fbdc74f6ff96ad892564c5ef95d64b5885614525c079f478500d2c75013d15d46071dfa3e732f0e270047981b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
bdb07a83357ebf444dbc1cb622c6cf5c

SHA1
c9683c12f3eb5b6317e51ebfbe19c564e100c505

SHA256
9eb12850776b365e97c340460f1310e8049e12d1b87eb3a4f3bc1ec31830e455

SHA512
03b4e1a562bc08dd04e58b338b99cd77352a803b49aa1cbd1249dd623b0e3730d01813709bf95651f671fa62b28ed82e9e5097e86dd86be5eac35b1a15ccae5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3f50b781b493115e29755d8c75a73a39

SHA1
a7853bf1b38ab86ef1d582097873948b7274ca2b

SHA256
739e1c0262eea294c57f3d6e050166be4060cedd3bede96f204ebb58a0e7c995

SHA512
49286a7706b9ba1ce5fea92ef5c4d9eebed472af9f2324809a9809faf4d90098cc9d053814aee9f15b84572d8c2edabb964b7d54b2575a923f470fe211d9ef5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
68838c8d29c8c6ee83320ec2ca9f6f06

SHA1
dfbddcaab90901c23e7d6ae4c7a6ec3d49607d90

SHA256
a3eac82e05ba15c834fc9d45038c108b235ca4853f5c810895fcab397a5049ec

SHA512
9d6ed2c81f9949367e8e4391120e3369165e52f78b12fd0650528eb7fe71435936eebb8640217faba2b794a07f41a22af1982151b1b173b25b35ad6cd95ab21e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
53f879c6dd501aec62649111f2807ea7

SHA1
75ad46db8044044e7ff3bb92413d81787f130f42

SHA256
f3c453510042aaa0791383e1e04f80d74df1e019b72e65104e80c4a28ebf088b

SHA512
9383691c0395c395341c479815bb6395c0d772ee2b1668c4b264f60adfc992ee68a35b62781f9c147ea0cd49e670035c51df9c907361b79e7bdd5a1bdd1b9f30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e6a2ddf762b494f05e3684145168bf71

SHA1
632f8a2d0b08d777323e8b0c899df238ef22f4b5

SHA256
c4b6eab35f1b501cd9fe98468034599be7f08eebc5177920988022c21a8ccff0

SHA512
3f4e8a61e8a318793a11b935eb52f841dbdd6deedcf808414d74635b5552a72317b76f253ec736deb5c522b19594fd0f945a05a68613341ca60d7bd959279ef0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
15320a8c28bac861104784bceb7a9068

SHA1
bd0920a5d8248028053ee3ceb7748ac389f21fbb

SHA256
5aa036698ce5973f8e0b18495417475f9b5ed52ad2dbbe5c5c05875fd71d30ce

SHA512
fd1c7b7fb3696da2bb0b4f9d20aaa06027e11d453e2438d34dcd70873a772e24fb20d645a97a0249a055e3c672c277b23c6f41ee9825f320232f94c083593f4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d9ddcd78-ddc3-4897-81e0-f90307767538.tmp

Filesize
6KB

MD5
7955a628d21573cef6382e6e6df1e6b8

SHA1
919cdb34d424d4667272331ca5acc571e13d3ad0

SHA256
4913dc8bbd37b9160739346174d3303ee6ef9e278c780dc96eedf64ae0da6e40

SHA512
5187270698117a572de2f19a0f5ae4cd7982626b89eaa5c6fa5bad1bd3481e86880513bb6fa79586c9a8da57f6f79970644a2606ee4a7d9affb6ab3bee30af13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
722ff5842720e1d024e127c1d3ba54d5

SHA1
e9110344d8efebf4df4287659e50c09b9e3503a2

SHA256
51b7161b161efdb59936dba5ddcbb9da71be4e1810cc6cd1ea89aa1b94c9bd65

SHA512
ad0d923dc5af8bfa9377b8c0d805afa91670a4a555eaa2e5ef3e831b6575d2ec07ff80e926039203f713658b3d72076ae7c7b8d76fe3ff6fd61524c41159489f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
94KB

MD5
e86868a93e9999e368890b4d950bfc9d

SHA1
b2b02cb0717ac210aef91804a4436ce05e997e26

SHA256
45814b54d8e3385ba3de7fa25965e9391371a34770325fc2b9f0799b84a80f08

SHA512
b273b46394416e931a235ce78b47fea0a2405b726f03387f0ec0a5d5e3cd6be09aa3d6b20fc720da3d2d64f7951132389ae862743dd890d93c725123bfe61a55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5bdf8f.TMP

Filesize
83KB

MD5
01c39f35f45b459f27c7cfc7aff54ca8

SHA1
fa840612b947bd9bea44741b58e8c9d488db0875

SHA256
c5a1fbe3f9227f0e51bc64d051af7a5d92c0b24364e4257f320772a2b03e9cac

SHA512
e86ceb55c47dadd6e16b35b21dfc02e3153838d04247adae0b470e61926fb4e3ad6c35ab8553f1c1165a0608ce372232f139bd130a6a3b74c619dece1c3c3f5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___P4561A90_.hta

Filesize
75KB

MD5
4bdbd4baefc8dd18f1b72892b5177335

SHA1
be177452bd323b5efabfdd2b382d882a6cace9ec

SHA256
e43be06188bb2d606446679026469d11e54f2c6cfcbdb005f045c708cefbfb96

SHA512
e6eb3c4a08bd2eff21dec4f93ac540c01c212686c440b22585a947d6ac9b1ae7c5c453409b5d02087175cd4ed411727c910484847105b99b655560cb91ca2e5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___UYPLF_.txt

Filesize
1KB

MD5
0724c6adea65425cfbe54ec59b68ca92

SHA1
7b8cd1db561898e1c4a8455b5ae4f25a0bbe0bfc

SHA256
2f7095c6ebcb3cce6f7c797a72752937e54d8c5f13c42247e0fc0ce2ce549a61

SHA512
ce129db6ff4b33110132bd8e3a987b22ea193b321b5e94c2f2423444aeb93f0eb23f6909293daf6907f855db2a4c58305a2c6befc995e04ea2a079898ecff0f3

Download Submit
C:\Users\Admin\Downloads\Ransomware.Cerber.zip

Filesize
215KB

MD5
5c571c69dd75c30f95fe280ca6c624e9

SHA1
b0610fc5d35478c4b95c450b66d2305155776b56

SHA256
416774bf62d9612d11d561d7e13203a3cbc352382a8e382ade3332e3077e096c

SHA512
8e7b9a4a514506d9b8e0f50cc521f82b5816d4d9c27da65e4245e925ec74ac8f93f8fe006acbab5fcfd4970573b11d7ea049cc79fb14ad12a3ab6383a1c200b2

Download Submit
C:\Users\Admin\Downloads\Ransomware.Cerber.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
memory/1928-1011-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1928-1017-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1928-626-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1928-605-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download