cerber | hxxps://github[.]com/kh4sh3i/Ransomware-Samples/blob/main/Jigsaw/Ransomware[.]Jigsaw[.]zip

Analysis

max time kernel
398s
max time network
402s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/kh4sh3i/Ransomware-Samples/blob/main/Jigsaw/Ransomware.Jigsaw.zip

Score

10^/10

cerber discovery evasion persistence privilege_escalation ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___UMN2N_.hta

Family

cerber

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>CERBER RANSOMWARE: Instructions</title> <HTA:APPLICATION APPLICATIONNAME="J" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a> <h1>CERBER RANSOMWARE</h1> Instructions </div> <div id="languages"> ☑ Select your language <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> Can't yoW3lsmKptUTu find the necessary files? Is the cOMLontent of your files not readable? It is normal beWdxwFZcause the files' names and the data in your files have been encrypbdFnhted by "CeHcfIOKsrber Ransomware". It meJAvyfXXgans your files are NOT damageTRWRs9yLjd! Your files are modified only. This modification is reversible. Fmrom now it is not posseXvrcLNible to use your files until they will be decrypted. The only way to dec3BBw7C7k5Crypt your files safely is to buy the special decryption software "CCXerber Decryptor". Any attempts to resty6n2voeZ2zore your files with the thirs17072Bd-party software will be fatal for your files! <hr> You can procR3swHyeed with purchasing of the decryption softwKhuDLgPMQfare at your personal page: PlegKcudrdase wait...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/0BDB-8CC9-1485-0446-9480" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/0BDB-8CC9-1485-0446-9480</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/0BDB-8CC9-1485-0446-9480" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/0BDB-8CC9-1485-0446-9480</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/0BDB-8CC9-1485-0446-9480" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/0BDB-8CC9-1485-0446-9480</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/0BDB-8CC9-1485-0446-9480" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/0BDB-8CC9-1485-0446-9480</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/0BDB-8CC9-1485-0446-9480" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/0BDB-8CC9-1485-0446-9480</a> If tfROrfyhis page cannot be opened  clitck here  to get a new addr9BBIq4W6Cess of your personal page. If the addreh8ss of your personal page is the same as befoTXEmre after you tried to get a new one, you cYGknpFRan try to get a new address in one hour. At thfiYGkBxj1is page you will receive the complete instrCdDPRnuctions how to buy the decryptison software for restoring all your files. Also at this page you will be able to resG6iNtore any one file for free to be sure "CerbescXYlcr Decryptor" will help you. <hr> If your perzSpMp0wcRsonal page is not availaxeble for a long period there is another way to open your personal page - instai74XTxllation and use of Tor Browser: <ol> <li>run your InteJRrnet browser (if you do not know what it is run the Internet Explorer);</li> <li>ent8TC4FqPIder or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loadvo7bMMMQing;</li> <li>on the site you will be offered to doP8UkQ0wnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ruFETnn Tor Browser;</li> <li>connect with the buttsgSIkM1Ypon "Connect" (if you use the English version);</li> <li>a normal Internet brogcMW7Nmnwser window will be opened after the initialization;</li> <li>type or copy the addM5ress http://p27dokhpz2n7nvgr.onion/0BDB-8CC9-1485-0446-9480 in this browser address bar;</li> <li>prevDANSWss ENTER;</li> <li>the site shoSMvk4juld be loaded; if for some reason the site is not loerGEUMwTading wait for a moment and try again.</li> </ol> If you have any prP8A27aoblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searcJpnvgD1Rzrh bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use. <hr> AdditxKPWBlHvhlional information: You will fiHABwnd the instrutdsctions ("*_READ_THIS_FILE_*.hta") for reVxkilbq4dstoring your files in any fAolder with your encHzuSwwrypted files. The instrttntR9ZLuctions "*_READ_THIS_FILE_*.hta" in the fYxUe0TdolderVpllAqHks with your encryipted files are not virok9eDDUuses! The instrucKry7RWItions "*_READ_THIS_FILE_*.hta" will heL7Jn0lp you to decPdanrypt your files. RemembeuEQgofxrf4r! The worst siqo8xpstuation already happmEaVLFBened and now the future of your files deEVhSWDwpends on your determShzQ50ination and speed of your actions. </div> <div id="ar" style="direction: rtl;"> لا يمكنك العثور على الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟ هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware". وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها. الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor". إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك! <hr> يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية: أرجو الإنتظار...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/0BDB-8CC9-1485-0446-9480" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/0BDB-8CC9-1485-0446-9480</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/0BDB-8CC9-1485-0446-9480" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/0BDB-8CC9-1485-0446-9480</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/0BDB-8CC9-1485-0446-9480" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/0BDB-8CC9-1485-0446-9480</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/0BDB-8CC9-1485-0446-9480" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/0BDB-8CC9-1485-0446-9480</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/0BDB-8CC9-1485-0446-9480" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/0BDB-8CC9-1485-0446-9480</a> في حالة تعذر فتح هذه الصفحة  انقر هنا  لإنشاء عنوان جديد لصفحتك الشخصية. في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك. في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك. <hr> إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor: <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان http://p27dokhpz2n7nvgr.onion/0BDB-8CC9-1485-0446-9480 في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه. <hr> معلومات إضORxافية: سuوف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة. الإرشhwzuSAgKjادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك. تذكر أن أسوأ موFhaRs1mقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك. </div> <div id="zh"> 您找不到所需的文件？ 您文件的内容无法阅读？ 这是正常的，因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。 这意味着您的文件并没有损坏！�

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___0OX46_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/0BDB-8CC9-1485-0446-9480 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/0BDB-8CC9-1485-0446-9480 2. http://p27dokhpz2n7nvgr.14ewqv.top/0BDB-8CC9-1485-0446-9480 3. http://p27dokhpz2n7nvgr.14vvrc.top/0BDB-8CC9-1485-0446-9480 4. http://p27dokhpz2n7nvgr.129p1t.top/0BDB-8CC9-1485-0446-9480 5. http://p27dokhpz2n7nvgr.1apgrn.top/0BDB-8CC9-1485-0446-9480 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://p27dokhpz2n7nvgr.onion/0BDB-8CC9-1485-0446-9480

http://p27dokhpz2n7nvgr.12hygy.top/0BDB-8CC9-1485-0446-9480

http://p27dokhpz2n7nvgr.14ewqv.top/0BDB-8CC9-1485-0446-9480

http://p27dokhpz2n7nvgr.14vvrc.top/0BDB-8CC9-1485-0446-9480

http://p27dokhpz2n7nvgr.129p1t.top/0BDB-8CC9-1485-0446-9480

http://p27dokhpz2n7nvgr.1apgrn.top/0BDB-8CC9-1485-0446-9480

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (1111) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1580	netsh.exe
2604	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	cerber.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
53	raw.githubusercontent.com
61	raw.githubusercontent.com
62	raw.githubusercontent.com

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	cerber.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpA9B5.bmp"	cerber.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\bitcoin	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\steam	cerber.exe
File opened for modification	\??\c:\program files (x86)\the bat!	cerber.exe
File opened for modification	\??\c:\program files\	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	cerber.exe
File opened for modification	\??\c:\program files (x86)\	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	cerber.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	cerber.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	131.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	131.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	131.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cerber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6020	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5620	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	cerber.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4400	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6020	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3100	msedge.exe
3100	msedge.exe
2052	msedge.exe
2052	msedge.exe
3064	identity_helper.exe
3064	identity_helper.exe
2404	msedge.exe
2404	msedge.exe
5884	msedge.exe
5884	msedge.exe
5884	msedge.exe
5884	msedge.exe
5020	msedge.exe
5020	msedge.exe
544	msedge.exe
544	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2012	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3364	cerber.exe
Token: SeCreatePagefilePrivilege	3364	cerber.exe
Token: SeDebugPrivilege	5620	taskkill.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2012	OpenWith.exe
2012	OpenWith.exe
2012	OpenWith.exe
2012	OpenWith.exe
2012	OpenWith.exe
2012	OpenWith.exe
2012	OpenWith.exe
2012	OpenWith.exe
2012	OpenWith.exe
2012	OpenWith.exe
2012	OpenWith.exe
2012	OpenWith.exe
2012	OpenWith.exe
2012	OpenWith.exe
2012	OpenWith.exe
3408	131.exe
5144	131.exe
116	131.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 4840	2052	msedge.exe	84
PID 2052 wrote to memory of 4840	2052	msedge.exe	84
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 1196	2052	msedge.exe	85
PID 2052 wrote to memory of 3100	2052	msedge.exe	86
PID 2052 wrote to memory of 3100	2052	msedge.exe	86
PID 2052 wrote to memory of 4396	2052	msedge.exe	87
PID 2052 wrote to memory of 4396	2052	msedge.exe	87
PID 2052 wrote to memory of 4396	2052	msedge.exe	87
PID 2052 wrote to memory of 4396	2052	msedge.exe	87
PID 2052 wrote to memory of 4396	2052	msedge.exe	87
PID 2052 wrote to memory of 4396	2052	msedge.exe	87
PID 2052 wrote to memory of 4396	2052	msedge.exe	87
PID 2052 wrote to memory of 4396	2052	msedge.exe	87
PID 2052 wrote to memory of 4396	2052	msedge.exe	87
PID 2052 wrote to memory of 4396	2052	msedge.exe	87
PID 2052 wrote to memory of 4396	2052	msedge.exe	87
PID 2052 wrote to memory of 4396	2052	msedge.exe	87
PID 2052 wrote to memory of 4396	2052	msedge.exe	87
PID 2052 wrote to memory of 4396	2052	msedge.exe	87
PID 2052 wrote to memory of 4396	2052	msedge.exe	87
PID 2052 wrote to memory of 4396	2052	msedge.exe	87
PID 2052 wrote to memory of 4396	2052	msedge.exe	87
PID 2052 wrote to memory of 4396	2052	msedge.exe	87
PID 2052 wrote to memory of 4396	2052	msedge.exe	87
PID 2052 wrote to memory of 4396	2052	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/kh4sh3i/Ransomware-Samples/blob/main/Jigsaw/Ransomware.Jigsaw.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff974ed46f8,0x7ff974ed4708,0x7ff974ed4718
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,17185864793475963238,6181732838626750529,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,17185864793475963238,6181732838626750529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,17185864793475963238,6181732838626750529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17185864793475963238,6181732838626750529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17185864793475963238,6181732838626750529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,17185864793475963238,6181732838626750529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,17185864793475963238,6181732838626750529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,17185864793475963238,6181732838626750529,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17185864793475963238,6181732838626750529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,17185864793475963238,6181732838626750529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17185864793475963238,6181732838626750529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17185864793475963238,6181732838626750529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17185864793475963238,6181732838626750529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17185864793475963238,6181732838626750529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,17185864793475963238,6181732838626750529,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5060 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17185864793475963238,6181732838626750529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,17185864793475963238,6181732838626750529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17185864793475963238,6181732838626750529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1696 /prefetch:1
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,17185864793475963238,6181732838626750529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1752

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5468

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Users\Admin\Downloads\Ransomware.Mamba\131.exe
"C:\Users\Admin\Downloads\Ransomware.Mamba\131.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3408

C:\Users\Admin\Downloads\Ransomware.Mamba\131.exe
"C:\Users\Admin\Downloads\Ransomware.Mamba\131.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5144

C:\Users\Admin\Downloads\Ransomware.Mamba\131.exe
"C:\Users\Admin\Downloads\Ransomware.Mamba\131.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:116

C:\Users\Admin\Downloads\Ransomware.Cerber\cerber.exe
"C:\Users\Admin\Downloads\Ransomware.Cerber\cerber.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3364
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1580
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2604
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___1O0OW2_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3084
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___PYWN1_.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:4400
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "cerber.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5620
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:6020

C:\Users\Admin\Downloads\Ransomware.Cerber\cerber.exe
"C:\Users\Admin\Downloads\Ransomware.Cerber\cerber.exe"
1⤵
PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
9b758df022a596f0c4b90908365cefc8

SHA1
d6544cbe17c42ae5289f5158b43b9cb4ff796064

SHA256
11fe3febd857334c5a833ffbf71e7eae08bbc8fba2407e37526337912764c367

SHA512
c72cfc98cf3c1eed33f781268865fc8b74aebe2361c2ab0404c7dfbf1701d426a5113760ff54f6a5bbc08bc67955a341bb3208c096e964bce97c189de9cbce3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8c16a30dc8d960bcc18d68c949f3c9a7

SHA1
768e2aac23b07b4a73fc293419af6a8535fe9c4d

SHA256
ff6adcce8bd671d372f525bf8fc25b87e6047bad277d8c806f638b00eaa25dc0

SHA512
775c9d374960fe71e701dd90b017ca4ddc9fc62f0c1b541bd3a130c0f988a5f4544c987b6bc1979cb28b657c2a653663d2b07ba1dc7d47fc4350c85dc0e51936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ccfd8cf76fbae8564ef8d4aee22756c4

SHA1
05ab6da00e74c74410f33664097268208be22792

SHA256
029a0a633e0753258fbf53751e56b27171cded46ab174bd9b5d2a4dec6b2e888

SHA512
e26352140b28c1466bf75d259aeff9bd2740ec29021961707d95ae27a1fd07f73f0efe444727586702e143cb31f2426ddaaf0c7dcb26c0579ae0c2fbcbcefafb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
d6e3bf37c442b2d39e58f791930e5310

SHA1
8320df56dcc995ad18a087e3bce42bb574653689

SHA256
ce37006c5534f3037bcaf0609401c0e0e7b35625d49aff65bc1e9577e01a95b0

SHA512
7f59b78af656aa8f9bf3152dae5056586c5d79f35cefc29699f57c5832a4cc2ebfe6bd9ecc7587fccde524a4ea31d4e4aa9b8a0d50279ca6a52883b70bf2da28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f96e462d6f22cf294d3fa95b8548c974

SHA1
b903feebba9bb2dd8779991e9ec64b38ec8d7480

SHA256
5b1a27f19ce48c24e7f34b76339d49b4bba590fafd87d2b0054acdfd126f2104

SHA512
467ffc9e9dcdd99eac3f461d3e977f48296a6288f0fb9790849c66380eb6ce33c063cf45ebe8ba4bf316424b630d7bfb55707d7b997397f727250fa8c26b0ccd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f957e80b7de5d47cdaf04eab429170f1

SHA1
78327966bf316d5b6cba7c6bc2890f8fcd8702f0

SHA256
e6d9b09c9520fcc360a92e254564a9aa7273d0c0c7ce6d9b297929529c7a2b6e

SHA512
9c468a6889d20edf66a37c80a20c2884394fa47b61c823dba82ba66e6c8cea43890aa3678340c305e82b92bff9d9ac81dd9b8ef5e45a09f963b6211301e116af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d4291bd522ded45ddc2031fc1d02496

SHA1
af82f7aa1b99192b760da190def3ab669cd70ffb

SHA256
8aea7c35bfe2b2d3c077fe6f2516fb8b370485dcde9789b503c905332b674d04

SHA512
b306a04555c417ef97e023288c0adf9eafb91c9e0a1d926c372bf2809118e37761a4b7d2b8a36b407b507e06c0c80416cfff32602e7ea0ac8d24f7b0408010fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f26241293d5d3a2538428c2d6d3898ce

SHA1
7f96c59e144b220dc23fdfa39b9e27b9ad967e3a

SHA256
8c6e6f1fc7e966ba714cf5db50bae46c7bae8433fc817595ab175710d1aea770

SHA512
cc8029d74e3d1ec040467af03f3560a7bd0304ba3da2e939fd603bc1ae3a41da0c6b4dd90c3b6d77dc2678b477c7670406484172e1b2efa5cef877e7fefc976e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d619afce138faa08dada108084db74dd

SHA1
43906aaac30e73f1a8c6774720fb0be0813f6fd0

SHA256
a24db4d75a3e9a9a542f11cc04040d5dbdebd654a3dc098ca360e01843e190a3

SHA512
f7471c78163ba978d1b3bdcd85a6329bbcee7dd25f7b9fd1e097d2bd9f0590fe48b3e4f1a1b7ad9b7e173ec8ffabda16e1aa51950274877c2129e816cc108e28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
662461ab0c30537e30bcf56ccb8c3436

SHA1
dc1dd5d05f96a1b776b151e50e0b1cde5f8a4c6b

SHA256
fdf15031614bbb9283777fa4ec950b6dc49699f045146ed1a85f04d9a8aee634

SHA512
8796c3ca79bb16254032cfc6f02fad375987101126ff0de391c39b79de5cb2b751dbd2dbcb7f838c56008b55f42d131418390b180556c15cefab81ccfcb6d301

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4130e636525c4fac9ee31fe5ebc34555

SHA1
45b12d99ea2b596e0de5a370ad9d2910211b84e7

SHA256
b841aa2591d7fc1530ef28c83153d82dd6c458457b8b07ab488d5db6ef5f918e

SHA512
dcd526b468bf0da397ece915117ca402f0f0c7dbd3b5a1f820280e9c71f2af1fbea09a3e87e768a411b6600a520664c397e42f5e6c4f28b290342e19566d8d37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
af6d497a9522cd5cf0c51bd2a419695f

SHA1
5cba32303bc2d549860fed6d5ca099ff396db107

SHA256
524cb5b7ce79cdd0daed54e8976eeca77f9954cc61de2f400696ca88cc6bfb6d

SHA512
63c3e36a62949d4588e1b0cdd04fabedbe55465303a97fc57e35dc1e8bc4ca9b7a226942ee40711a3b4ba9d2c0d5f1b89e6ade9f96fede1711931723e70b8814

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
af4c957ebfda84b3a52d28cd3224f973

SHA1
1900848158b6794b30de34a4949a74474d7780b0

SHA256
d0a7e5151bfd2d9ee3324e26d22376d4ba1b26bd598410a0a7f14e2b8620bb46

SHA512
556c386eb331ec44150ea480e8a45a029efa1f8a96ef44ec3c5aae4bab53c7f1489be210b8fc3489f5c0c7fe2b731fab3be7d6ae876cf515546059aa2edf0200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e3514b386496629619dda2c585d4b8c5

SHA1
1a7757640375b666cbf768458873a4751f9c56a8

SHA256
b84e5751fb4103cc0b32487065da504c4b51516d4d8d4e338cb2ab88b0eea3c0

SHA512
091620925e90151384aa679b8ea74d63db51e4a443607c900fd2f697b60846cfc90331c7e3930f01e38ca904f5f414abb0b0f0ec7e086b6a29dffcec525518e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583795.TMP

Filesize
1KB

MD5
09302375e5d0058ea5fd5d6aa6a7c4d9

SHA1
57fba7401290b7e3328dc5ceb930719f6d8f7574

SHA256
8f97b12812521ed802a4a29275386c62dfabf8fc67c0a7e5fd2ad8ebd58914ba

SHA512
67289badd71aa2be75fb8b594d80e0b59edace6379b9fe98316ed7fea022bc9a82f2f46072f9e5fb47c4ad92cf231a5234e61391cdec0243e4ec7f02e4567cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d9c99b8e2ff9d9220986b0c5e46ae2b3

SHA1
d6dcd75b5e4838213542e11858108d902eca793c

SHA256
9b44a30503d9fb3184b02846d06a2599d0bae254a004c519c30f3127863af74b

SHA512
af14e9a64f2cbf56ac0aa348f43983246fc6b6f012939ad4e48982289e4e80787172c0fe85de6c63b0e7f1b7f97adaa3f17e5a2ea0506cf4a393f0db186905e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
bda50550ae0c4795856edbab1efc2a90

SHA1
b117470818c6d2b1c15185af8ffcbd222d81204c

SHA256
42bc3d8fae575a26e51ce3f74fe2dc9d648e0461105e7181ffad952164d03ab5

SHA512
cff1292e53d5f90e224d268d8673daf935bbaf61b4f630ddb53dae4f912c819db4abf59b1f76381169ad36f8da5d295b95ae667c0433dd1707d8f5a2fba4c05a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cff636ad9a699734882448c6617753b9

SHA1
9be6aadabd0d15f6f35b9be9c602c268a9d50138

SHA256
b9a2778c5508ca6d60f56835af895842f627a89abd510f8695e4db946f6b3d39

SHA512
5342f57d5a7579077d91e461b758db34e122ca166c82056521814597047dc6a774743f0326d078b50a31812e3f463413d1fb5031d40d226e6fc526b7a17c2800

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4adc56accebdb648e0b04d9f76611875

SHA1
06bd1f3de1588c02a06f2ec9d672cc768e075b46

SHA256
4984535acd9db0691372306fae9a2ad4a73c0d3c87052c87121bcedb5f92fe1d

SHA512
65f2e455b75b1b9e8b25485fb3a1354dc65a496a26e2653fad7f4125946d08f172bb987521c03e25983fb0ff8da7e911b576f852b73795722eff97d109e6694a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c9cadae9aa09ddfe2efe3d47803c0248

SHA1
455961613a7135f939947e770bf35c7c39309173

SHA256
bfb24dc82df75df2c146252d53398d2a698c665ca9a38d75fca543cd8f4fec25

SHA512
b5d1b9e06f77011778e96d2f56a8fe3a33ce566b125ab42acd44af9307d9ab30f79daaaec07cc1f8f0dcd81edbf610e03b18c329d846bc73c13c68def3ec93e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___0OX46_.txt

Filesize
1KB

MD5
422bb15e3148c6c67f071a04ac508f1b

SHA1
cf97025bd99ed2588c3978c322a9213eec8460fc

SHA256
1e4d46cf47054a3eb783be91d6a38cf5c58880f4381509601bbbd5b2e62fca76

SHA512
c5af74fa8da72ec1b2a5685078d1f6b49d078e755122e57317bf0d5d4f3057295f304deb49973d6f03a836412dea2efadbc04560b04d8bca844c3427094dbd6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___UMN2N_.hta

Filesize
75KB

MD5
4edb134fd240bf722b43660c966d086a

SHA1
97e95ffe88145d8f6e9c1fa6672fc7cb79ec85c2

SHA256
8f662e1b64339e3648d1708a0a1e515f261cedc48d338faa43a059b57087ca94

SHA512
3009d9462ab1b266a076909af55a319cf253dfa2bb69779dc4a0ee005c6b1f2a20b980aa33124a9f1d8d1f3421bb719b72507ab6feacbac6bc8c6c6198fc4412

Download Submit
C:\Users\Admin\Downloads\Ransomware.Cerber.zip

Filesize
215KB

MD5
5c571c69dd75c30f95fe280ca6c624e9

SHA1
b0610fc5d35478c4b95c450b66d2305155776b56

SHA256
416774bf62d9612d11d561d7e13203a3cbc352382a8e382ade3332e3077e096c

SHA512
8e7b9a4a514506d9b8e0f50cc521f82b5816d4d9c27da65e4245e925ec74ac8f93f8fe006acbab5fcfd4970573b11d7ea049cc79fb14ad12a3ab6383a1c200b2

Download Submit
C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip

Filesize
239KB

MD5
3ad6374a3558149d09d74e6af72344e3

SHA1
e7be9f22578027fc0b6ddb94c09b245ee8ce1620

SHA256
86a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff

SHA512
21c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720

Download Submit
C:\Users\Admin\Downloads\Ransomware.Mamba.zip

Filesize
1.0MB

MD5
f94d1f4e2ce6c7cc81961361aab8a144

SHA1
88189db0691667653fe1522c6b5673bf75aa44aa

SHA256
610a52c340ebaff31093c5ef0d76032ac2acdc81a3431e68b244bf42905fd70a

SHA512
7b7cf9a782549e75f87b8c62d091369b47c1b22c9a10dcf4a5d9f2db9a879ed3969316292d3944f95aeb67f34ae6dc6bbe2ae5ca497be3a25741a2aa204e66ad

Download Submit
memory/3364-529-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3364-535-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3364-919-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3364-940-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4772-531-0x0000000000440000-0x0000000000451000-memory.dmp

Filesize
68KB

Download