cerber | hxxps://github[.]com/kh4sh3i/Ransomware-Samples

Analysis

max time kernel
99s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 09:20

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/kh4sh3i/Ransomware-Samples

Score

10^/10

cerber discovery evasion persistence privilege_escalation ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___5ZNM4G27_.hta

Family

cerber

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>CERBER RANSOMWARE: Instructions</title> <HTA:APPLICATION APPLICATIONNAME="GSZeU" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a> <h1>CERBER RANSOMWARE</h1> Instructions </div> <div id="languages"> ☑ Select your language <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> Can't yoeaGAfVm6ou find the necessary files? Is the cBsynpPontent of your files not readable? It is normal behlzl2cause the files' names and the data in your files have been encrypjted by "CeBpYU4Z0iixrber Ransomware". It meekbM2tYTnans your files are NOT damageNa3KmAQIT1d! Your files are modified only. This modification is reversible. FGkWdOgurom now it is not possqnjible to use your files until they will be decrypted. The only way to deci0rypt your files safely is to buy the special decryption software "CGfVSerber Decryptor". Any attempts to restTAJ7sUore your files with the thirUptIPcSHd-party software will be fatal for your files! <hr> You can procbmXYDoleed with purchasing of the decryption softwqAPG3F0fare at your personal page: PleaFase wait...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/8445-301F-18E9-0446-9FF3" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/8445-301F-18E9-0446-9FF3</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/8445-301F-18E9-0446-9FF3" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/8445-301F-18E9-0446-9FF3</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/8445-301F-18E9-0446-9FF3" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/8445-301F-18E9-0446-9FF3</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/8445-301F-18E9-0446-9FF3" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/8445-301F-18E9-0446-9FF3</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/8445-301F-18E9-0446-9FF3" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/8445-301F-18E9-0446-9FF3</a> If tcyspnhhis page cannot be opened  cliVK0ck here  to get a new addrgH2kess of your personal page. If the addrew9ss of your personal page is the same as befoQM9re after you tried to get a new one, you c3Xqm6Han try to get a new address in one hour. At thuRJis page you will receive the complete instrDCructions how to buy the decryptieyYVdAl9ron software for restoring all your files. Also at this page you will be able to resj9uBCahh9tore any one file for free to be sure "CerbeTkIjPk2Or Decryptor" will help you. <hr> If your perEQ98sonal page is not availaUS3ble for a long period there is another way to open your personal page - instapVYctllation and use of Tor Browser: <ol> <li>run your IntewFis6i7Gurnet browser (if you do not know what it is run the Internet Explorer);</li> <li>entTMhLbE4KF3er or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loadcX0KvgbVing;</li> <li>on the site you will be offered to doLgwnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>rueNTsYQgf7n Tor Browser;</li> <li>connect with the buttQVblwU5jjon "Connect" (if you use the English version);</li> <li>a normal Internet brot77R6VvNwser window will be opened after the initialization;</li> <li>type or copy the addo3WV8TXSqress http://p27dokhpz2n7nvgr.onion/8445-301F-18E9-0446-9FF3 in this browser address bar;</li> <li>presAWanss ENTER;</li> <li>the site shoknyuld be loaded; if for some reason the site is not loXqjSNw7u70ading wait for a moment and try again.</li> </ol> If you have any prxMHjO7oblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searc6AcwGx91h bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use. <hr> Addit49Pkional information: You will figYYYpiVYnd the instru7DB1gWBXctions ("*_READ_THIS_FILE_*.hta") for re62C4PHI5QSstoring your files in any fzuoCH6folder with your encm3aMNYXvrqrypted files. The instrdvtPBQiZuctions "*_READ_THIS_FILE_*.hta" in the fVolderYK7Ps with your encry4pted files are not virqwM03ksfwuses! The instrucRZtions "*_READ_THIS_FILE_*.hta" will heuL1Wzlp you to decKr8b2P4rypt your files. RemembeH9MAHpRgUr! The worst sitQytuation already happ20ysdVMSened and now the future of your files ded2A1pends on your determaIf01Tgtination and speed of your actions. </div> <div id="ar" style="direction: rtl;"> لا يمكنك العثور على الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟ هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware". وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها. الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor". إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك! <hr> يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية: أرجو الإنتظار...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/8445-301F-18E9-0446-9FF3" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/8445-301F-18E9-0446-9FF3</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/8445-301F-18E9-0446-9FF3" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/8445-301F-18E9-0446-9FF3</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/8445-301F-18E9-0446-9FF3" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/8445-301F-18E9-0446-9FF3</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/8445-301F-18E9-0446-9FF3" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/8445-301F-18E9-0446-9FF3</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/8445-301F-18E9-0446-9FF3" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/8445-301F-18E9-0446-9FF3</a> في حالة تعذر فتح هذه الصفحة  انقر هنا  لإنشاء عنوان جديد لصفحتك الشخصية. في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك. في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك. <hr> إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor: <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان http://p27dokhpz2n7nvgr.onion/8445-301F-18E9-0446-9FF3 في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه. <hr> معلومات إضkWTnRIافية: سOJNfوف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة. الإرشMl9IAادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك. تذكر أن أسوأ موf8j5xkCقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك. </div> <div id="zh"> 您找不到所需的文件？ 您文件的内容无法阅读？ 这是正常的，因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。 这意味着您的文件并没有损坏�

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___VPAT_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/8445-301F-18E9-0446-9FF3 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/8445-301F-18E9-0446-9FF3 2. http://p27dokhpz2n7nvgr.14ewqv.top/8445-301F-18E9-0446-9FF3 3. http://p27dokhpz2n7nvgr.14vvrc.top/8445-301F-18E9-0446-9FF3 4. http://p27dokhpz2n7nvgr.129p1t.top/8445-301F-18E9-0446-9FF3 5. http://p27dokhpz2n7nvgr.1apgrn.top/8445-301F-18E9-0446-9FF3 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://p27dokhpz2n7nvgr.onion/8445-301F-18E9-0446-9FF3

http://p27dokhpz2n7nvgr.12hygy.top/8445-301F-18E9-0446-9FF3

http://p27dokhpz2n7nvgr.14ewqv.top/8445-301F-18E9-0446-9FF3

http://p27dokhpz2n7nvgr.14vvrc.top/8445-301F-18E9-0446-9FF3

http://p27dokhpz2n7nvgr.129p1t.top/8445-301F-18E9-0446-9FF3

http://p27dokhpz2n7nvgr.1apgrn.top/8445-301F-18E9-0446-9FF3

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (1115) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5340	netsh.exe
5260	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	cerber.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
27	raw.githubusercontent.com
51	raw.githubusercontent.com

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	cerber.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpAB00.bmp"	cerber.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\word	cerber.exe
File opened for modification	\??\c:\program files\	cerber.exe
File opened for modification	\??\c:\program files (x86)\	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\steam	cerber.exe
File opened for modification	\??\c:\program files (x86)\the bat!	cerber.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	C:\Windows\SysWOW64	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	cerber.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5860	taskkill.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133649904855773996"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "143"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\Local Settings	cerber.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5476	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5556	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1308	msedge.exe
1308	msedge.exe
4820	msedge.exe
4820	msedge.exe
3752	identity_helper.exe
3752	identity_helper.exe
3964	msedge.exe
3964	msedge.exe
2780	msedge.exe
2780	msedge.exe
4108	chrome.exe
4108	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	5240	cerber.exe
Token: SeCreatePagefilePrivilege	5240	cerber.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeShutdownPrivilege	4108	chrome.exe
Token: SeCreatePagefilePrivilege	4108	chrome.exe
Token: SeDebugPrivilege	5860	taskkill.exe
Token: SeDebugPrivilege	5508	firefox.exe
Token: SeDebugPrivilege	5508	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe

Suspicious use of SendNotifyMessage 51 IoCs

pid	Process
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
4108	chrome.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5508	firefox.exe
4752	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 4240	4820	msedge.exe	82
PID 4820 wrote to memory of 4240	4820	msedge.exe	82
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 3648	4820	msedge.exe	83
PID 4820 wrote to memory of 1308	4820	msedge.exe	84
PID 4820 wrote to memory of 1308	4820	msedge.exe	84
PID 4820 wrote to memory of 4980	4820	msedge.exe	85
PID 4820 wrote to memory of 4980	4820	msedge.exe	85
PID 4820 wrote to memory of 4980	4820	msedge.exe	85
PID 4820 wrote to memory of 4980	4820	msedge.exe	85
PID 4820 wrote to memory of 4980	4820	msedge.exe	85
PID 4820 wrote to memory of 4980	4820	msedge.exe	85
PID 4820 wrote to memory of 4980	4820	msedge.exe	85
PID 4820 wrote to memory of 4980	4820	msedge.exe	85
PID 4820 wrote to memory of 4980	4820	msedge.exe	85
PID 4820 wrote to memory of 4980	4820	msedge.exe	85
PID 4820 wrote to memory of 4980	4820	msedge.exe	85
PID 4820 wrote to memory of 4980	4820	msedge.exe	85
PID 4820 wrote to memory of 4980	4820	msedge.exe	85
PID 4820 wrote to memory of 4980	4820	msedge.exe	85
PID 4820 wrote to memory of 4980	4820	msedge.exe	85
PID 4820 wrote to memory of 4980	4820	msedge.exe	85
PID 4820 wrote to memory of 4980	4820	msedge.exe	85
PID 4820 wrote to memory of 4980	4820	msedge.exe	85
PID 4820 wrote to memory of 4980	4820	msedge.exe	85
PID 4820 wrote to memory of 4980	4820	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/kh4sh3i/Ransomware-Samples
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe6ff546f8,0x7ffe6ff54708,0x7ffe6ff54718
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,8008206017115222236,12582183993615756371,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,8008206017115222236,12582183993615756371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,8008206017115222236,12582183993615756371,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8008206017115222236,12582183993615756371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8008206017115222236,12582183993615756371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,8008206017115222236,12582183993615756371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,8008206017115222236,12582183993615756371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,8008206017115222236,12582183993615756371,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8008206017115222236,12582183993615756371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,8008206017115222236,12582183993615756371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,8008206017115222236,12582183993615756371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8008206017115222236,12582183993615756371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8008206017115222236,12582183993615756371,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8008206017115222236,12582183993615756371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8008206017115222236,12582183993615756371,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:6032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ffe5dafab58,0x7ffe5dafab68,0x7ffe5dafab78
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1676,i,7646810058360839528,14751112867196030798,131072 /prefetch:2
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1676,i,7646810058360839528,14751112867196030798,131072 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=1676,i,7646810058360839528,14751112867196030798,131072 /prefetch:8
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1676,i,7646810058360839528,14751112867196030798,131072 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1676,i,7646810058360839528,14751112867196030798,131072 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=1676,i,7646810058360839528,14751112867196030798,131072 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 --field-trial-handle=1676,i,7646810058360839528,14751112867196030798,131072 /prefetch:8
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4836 --field-trial-handle=1676,i,7646810058360839528,14751112867196030798,131072 /prefetch:8
  2⤵
  PID:5124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1676,i,7646810058360839528,14751112867196030798,131072 /prefetch:8
  2⤵
  PID:5132

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Cerber.zip\cerber.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Cerber.zip\cerber.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5240
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:5260
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:5340
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___C0TZL_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:1628
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___UHWNRUU_.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:5564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "cerber.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5860
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:5556

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5524
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5508.0.1110544635\613298323" -parentBuildID 20230214051806 -prefsHandle 1740 -prefMapHandle 1732 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3d72e69-0244-492d-bbea-f76e473c2527} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" 1820 1d9a6b0fc58 gpu
    3⤵
    PID:5228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5508.1.2109202063\1697200009" -parentBuildID 20230214051806 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {effcefd1-c9eb-4d9d-8849-2808560db877} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" 2388 1d992785658 socket
    3⤵
    PID:2568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5508.2.214351223\1228084737" -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 2956 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c194e52-dbc1-41ad-bd93-8bffe9b600ac} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" 2972 1d9a9817958 tab
    3⤵
    PID:3684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5508.3.754191711\1143296717" -childID 2 -isForBrowser -prefsHandle 4144 -prefMapHandle 4140 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14a6df85-bc35-4b66-b449-162cc03823cd} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" 4156 1d9a9f33c58 tab
    3⤵
    PID:4268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5508.4.1977559340\805496362" -childID 3 -isForBrowser -prefsHandle 4920 -prefMapHandle 4916 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39045a17-3b9c-49f1-921f-fe1897d8b43d} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" 5028 1d9adc07f58 tab
    3⤵
    PID:5324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5508.5.1111539814\1650207847" -childID 4 -isForBrowser -prefsHandle 4680 -prefMapHandle 4676 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc959ccf-a8cb-4722-98d0-f3dbc420dd1d} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" 4700 1d9adc08258 tab
    3⤵
    PID:3116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5508.6.1678547724\1010637810" -childID 5 -isForBrowser -prefsHandle 5284 -prefMapHandle 5292 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84c07415-01aa-4287-88a1-2f4f6b575003} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" 5368 1d9adc05e58 tab
    3⤵
    PID:4568

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38d9055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5eaf955a0ef7c0d53e1c905d70bf3ee9

SHA1
71c03140deb3fcddfac2aaeb3cf985313173e784

SHA256
26518b3e742df247613a52c14166c09642eab57ffddfeb19498a80ac87060063

SHA512
d3f13121ddf90db4c13a4637be4b12dc1652294899439a72cb655c8257aaa12e1f552c02ea45296a07ac959588eac7cdc4bb0080ffb3697735d18b1b40452614

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
44215c35bee473a82624fea8d620b5fd

SHA1
fdc85f680c1a3d0707bd0b312dfce6ec330c1c5d

SHA256
3b1558743d2bc4ac6f6d8579c336619f3deff83a46a3f25ff01238b894a0d289

SHA512
ad8abb89b96b976e929431f0d0ee838ae28100c63eabd5cd33f3d10a48350dba6eb1f7b127b46291958bf74c6bb9ec901542f9858b3527047ad5510bddb97524

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a8f648650ccbc2c2ec67d12ca78f32c4

SHA1
20c963c0b9e8817f133d5a3fc56ab86c0f2d3378

SHA256
3f0b97de3eb0ff49f7bde68ffea294dce4aa04eb3d42db39054962e1b8f75f17

SHA512
68e75b0019f31c1c2e7ffa46f71f0b041d97fabf7d09bdae1edd285ec4f90a302a526c18bf8f05003ed89b6c20297c3fe683f5b8454e3e8cecea135f6f76bd77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
2344383855c52c6bd180451de0c75c5a

SHA1
b905c757114235e62510ffc99a2659e925eb77be

SHA256
736498e4199fae327ab6713019ed4f7ea99f21ae0cfcc980c2c4902fbbfc66ba

SHA512
54899b03f111949e06e7eb5285f8d4863e79fcb342d9d9560073da7ea4e274d8ee70f0c6852760ec40d1047d475ac39476373e2461dba446eefaf532439587a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
284KB

MD5
67d57f1aefcb44bc48c1205d51113081

SHA1
62a8d08b17ae5caee630d30749644952c50a6203

SHA256
77fa2076b13e031e410e6ca453a389d457a9dfa8819fde81b90df6606459ab76

SHA512
1443eb9c0f6dc37c648e809b07d64c3f57b6b316da3e292f08dc43603b7f0d400e59b72bc80e1193054bdef8b46cdaf7eb18976d30877b67a0b98cac3f1cc48e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
284KB

MD5
1df7b85629111093ba9355a50663cb42

SHA1
1f943bdd1d049d0cee3fb224c61835f33cf8e6f2

SHA256
31173821043d9e2291eba77b97a07b58d7895c1c09200d3253116c6b3596d6af

SHA512
5d1f14bb4ec60398a6eb51d8a7e0e3d61af69a739102a0b7ef6b1e1599f205e3753f472d2dbffaeaf2e6e1bcf409fb03bba2c9731221dbb26996759427cd99b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a27d8876d0de41d0d8ddfdc4f6fd4b15

SHA1
11f126f8b8bb7b63217f3525c20080f9e969eff3

SHA256
d32983bba248ff7a82cc936342414b06686608013d84ec5c75614e06a9685cfe

SHA512
8298c2435729f5f34bba5b82f31777c07f830076dd7087f07aab4337e679251dc2cfe276aa89a0131755fe946f05e6061ef9080e0fbe120e6c88cf9f3265689c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f060e9a30a0dde4f5e3e80ae94cc7e8e

SHA1
3c0cc8c3a62c00d7210bb2c8f3748aec89009d17

SHA256
c0e69c9f7453ef905de11f65d69b66cf8a5a2d8e42b7f296fa8dfde5c25abc79

SHA512
af97b8775922a2689d391d75defff3afe92842b8ab0bba5ddaa66351f633da83f160522aa39f6c243cb5e8ea543000f06939318bc52cb535103afc6c33e16bc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
215KB

MD5
5c571c69dd75c30f95fe280ca6c624e9

SHA1
b0610fc5d35478c4b95c450b66d2305155776b56

SHA256
416774bf62d9612d11d561d7e13203a3cbc352382a8e382ade3332e3077e096c

SHA512
8e7b9a4a514506d9b8e0f50cc521f82b5816d4d9c27da65e4245e925ec74ac8f93f8fe006acbab5fcfd4970573b11d7ea049cc79fb14ad12a3ab6383a1c200b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2c4e7726aa88a00431aa9efa53a4a6d2

SHA1
ee3f677aa58af611d4ebc1a13d38887e4863e094

SHA256
c3f84bd620198d90c649de5896e7134653efb061937530144211335ef64ec2d5

SHA512
d1db5da611e83cfcf1b823c8cc304b711b3459304ec50a1b1d9e45dd23f68f3f75e3cb988e5ba5e2ec4acca32ccef3b2f0f910aefe152cdd353cf3a73a0399ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
edde26eefa6e625eb54122ffbf5d07a2

SHA1
23faa1e654a6106e6a64e110f522af1f046deae9

SHA256
dc01c018db1a48f4b6e44c5b47bda14f35b68b7f23935a750e22c1ebe8f029ce

SHA512
4c912e6d5873aeb9e7864a641f12b21a07ab579bf24ea0032d526c11a260f86dec3d62d2ddc10478b66ee9872b9008066360d9aa1b1fee904d83582ea437f884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
26aa153f9bdcc4f3ea5c36c066b8f2d9

SHA1
de8ad805fbb2ee1c6387b9aaa883fea656576e25

SHA256
6b891e42a617f6456aafb8808a371ce171907bd9037128c151b9f0b731496152

SHA512
313d24f55d9451d18c96ed71d02c58c1a181c942a4502f87f9eb10eddbc4e2616cc323e070f880c5bc03fffa584e3d8b5645e1c676f801bc64c43237829a9e30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8969ab3ce7c995ecc0c6c7da740f1ad8

SHA1
266b4ef426b3198ed0474abd90ebd4e9ca5c760f

SHA256
1d9ace374d38157eb589d01a134b1d322ffc86841df8808026beb9e096c117fb

SHA512
588ff4c42f48f6d4d15fbb56e71919b10fff9b022183d745a4831d6dd06c1abf50bd0e10ed62be912983745128b360bd6c4f11d0c8a1aa0ac18ef4405f60db82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2b15041a932ad1c35bd1191876951ca4

SHA1
468e6991d3610904c6f46ac4063efc620546a817

SHA256
d07aac55450a32b3c986dffa3c2810e49218b6f2cc4fa9de439e366da2a82bc2

SHA512
a7f50e475fb640cf0eccce930cbb0487a2c31565d371f64d772bceac110c24a8ab4e4c52e5e30f98110419ab12f8b2a0b24053b5f937c448c7ae40f5b9bc7f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bb401d766765df19702c8990de6b5987

SHA1
cc5e251ce78f901ce9a36b844f658f156de7c883

SHA256
68add678e341ef45664e5e838756244792318c4900462a75cabd9ccaf1794fc5

SHA512
6821c07495982cb1a978f54da95430a1de4f8625f0df03f4da2ccb4aaeb9d9961ff243305c0ef56dd91d9ace3eedf5aeb4952b784fcda3eb8162a07e21037153

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
819780862624412fe08d9e517494557a

SHA1
765e172c90a8450f4067f7dc92fb131afb43c2eb

SHA256
b6419acb2b8e5c8bcd87c1c417e440f6e242b4c055e6c8d63c701de2099ee2b1

SHA512
104c9246922d6bd333212e5d46cf4e58a53fc8317588712f20773c8a13c6c4a3c761456bd99d766c457afedf53f20224c0795d77ae6b77e18b2c1269be6470e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8ae4e673285d7cb307dafc433165bb1a

SHA1
17e61e5b5c319fdb84c9316e96976b52954f591a

SHA256
429088859346c8a9f260a07ad17b7a2adbd0ce6be86803632d6adb630cdf71d8

SHA512
2cafe88b5367c5abb9420dace93b52809f77ac3a0c77b052c994665c2868a520c61d7728383e182be9189e7a1f1577c034a34605b00d27badf28b4b56c153c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e4fe5a846cd05e0b6ea894f9cb8baf40

SHA1
7f77345fca5f7a3f8190e2673f85e02aa424a9da

SHA256
5bb25dd364a1c4fec0a3447017a7936af281d487c5a7f881181b907d61e9dc28

SHA512
119af3a811635c0ca7fd94b1247b253f9f426fdfa14410771a409c9ad18a1f1e201a2935dc863e72f1e58552adc80435c121b7ed7d5a254b93538578284ecb8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580c8e.TMP

Filesize
1KB

MD5
de14f3a54b79bbc0cdbe1db0a34f1f58

SHA1
e29d2f985122b06fa0460a84541d37fd4a02f623

SHA256
50686232f11e2307616cb2d445d6d0e4c5dd616804ac67940b0f5c856f953df8

SHA512
df6369be06c4e84eb306df453492c4d59fb9f19c5ae4b76860063632dee62e5b19bedcba44730db96c45a5e2bbd79f913bc665e25fced099ca823c7bb6188647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2f85ca4f1dd5288291e3b33d9def1e3a

SHA1
10e1fc32480fa6598ff7ecfdaf23132e68d8e0ff

SHA256
fabeb5f6cbd60a107a071eb55d6b833ad94d406eba3fdc493df2ed8942c7337b

SHA512
0c297b71f2c298b74ea58d1169e928c9b0adf5b3b4993a52f1a029cf2bed8e0c861c0c74f2935689fbb3bd04ae43426afdeead783e9f48068e894ecf8697f41a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9883f152f1d22fd6f5c740ce5eb55a88

SHA1
fc588af86b02055e4b27b5c4bdbf95ba7ccad066

SHA256
2c7cd6f291f883bbeb69d006ef92b72ec04fa1a4ff4cc810c3f6ed77bfb1a1f1

SHA512
5c27d40ce2888dc8b6e30e102e52a048700f15dc7ac748458761d753af617822ed7ca57a6463ba0342d6bbe9a7e8d05aeb7c921ce5a6c375a9a4e8a74e874481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0a84b5b337d72e88346186a49e70f8cb

SHA1
92d5f759c44794a582883d359b93b43777759c09

SHA256
6bafb4b88e91cf49d5ef6f76b97e235ab035e615432ab51cde644d161a724de6

SHA512
e054223cfac99b79e67701701180570f77ca7a8fb421a9effd2d2a99e966497454d79a343fa60782da17b093894866225ab6570a8f1959a8910ab234941c22cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e98b0c277ab02a834fd5f8af959163de

SHA1
6fab8d14a748c3db09fc06d4460e9f56e0ab562b

SHA256
cb476facff08f5205a19b6f6cdb0509a86a56d524d63d08442289a11747b9456

SHA512
5990471e1da09e5c6987e9777bdcd1e3aba58b31116b4fd4102997cf2e213f3d41cba52bb3d0b576d1dde3bd352d18c2a5cea98d3053e31c84b9830294252790

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\caju9pwo.default-release\activity-stream.discovery_stream.json.tmp

Filesize
25KB

MD5
72f3f0eab914c7d4611331538f880530

SHA1
21a0618e20ac635fc5c9f78dfd75d5106d0a619b

SHA256
9a58ce49deaae9563ec84c4c471b7e21a5dbdce3bd6959caab8a0208d9238e29

SHA512
98297bc24fd4e47a08210dc7f8ec313876170e4588a98e542f2efe0e0acaf17ce7ee07705833ecc27aff8acfae9c435cf840df397cc8ebf7f82c5fbbea032c2f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\caju9pwo.default-release\activity-stream.discovery_stream.json.tmp

Filesize
25KB

MD5
bf5710b1b5c37a1e9d388d5da4086531

SHA1
489be30d3142efe63f5ff848e4d0e8f6cce95bdc

SHA256
65d435021248788e51037de3e09ae53908f3a71470fdfc34d149a1141b3fee34

SHA512
3ac761406b0b2d26a918663df7140ac5d087c14c783571083a037ab545f22c164b5ef699b33a42bb4c43c493f314f5ba6803a3aeed83cd820c796c2bca50efbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___5ZNM4G27_.hta

Filesize
75KB

MD5
d91b37ad765576d4baf6af84c518fb7b

SHA1
f06924e1d3652753b7e972b4fb8912f3c1c76ec0

SHA256
c46e17567951e4768e2b9d549e78ee21b03244cda0a1aa5fd3910db772c0f1b1

SHA512
48e408d6b0d585fa104bb5fe23f26b31443bdd45b4e3420e97fa0cf9a47a29ee4e3518159f0741a21333ef84edb19a767b1482d6e274b72b80e72d1b974afb1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___VPAT_.txt

Filesize
1KB

MD5
da93c20ec0312d5fd98616328be16e1f

SHA1
2610faafb028fe553be69e321580f9ee4a60effd

SHA256
132fbf787b400bef0918488bce6c414ebb453697f169f1a4016b84624eca5ff2

SHA512
6efd5d60d33a2b0989a0dd15135af6fa2bd99a2253f0508e3bf70f6c2a13a15ae1e2ce1f393b24b545a8f64c4b875673aa51a3edd97b6eed48013bfc4dba2623

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\caju9pwo.default-release\prefs.js

Filesize
6KB

MD5
ac45d6c2b4fc0ecfcd792d9bc29254af

SHA1
9a0b5f08b36ab058257ce96dfe5b927c2174c254

SHA256
593ebe6f6b5230048fa9605016fbbdf52b8578221d7d72fbd9882dd797b857ff

SHA512
33ecbe2779b9234e9558530d7e241253176a12b93bccdabc4db2c64a522051745d084610d265bd4bf79b01f0aecd3a89f4ac0c8de69472a7d0072d901a5c0c22

Download Submit
memory/5240-882-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5240-918-0x0000000000440000-0x0000000000451000-memory.dmp

Filesize
68KB

Download
memory/5240-917-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5240-883-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5240-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5240-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads