cerber | 28cc4a9984a25cfa560e945da3f172fbda9ad081aeee88a2ab626db8885e0776

Analysis

max time kernel
361s
max time network
362s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-09-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cerber.exe
Size

604KB
MD5

8b6bc16fd137c09a08b02bbe1bb7d670
SHA1

c69a0f6c6f809c01db92ca658fcf1b643391a2b7
SHA256

e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678
SHA512

b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24
SSDEEP

6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01

Score

10^/10

cerber discovery evasion persistence privilege_escalation ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___LIMC2U_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/A4EB-6706-D5F0-0446-9DFF Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/A4EB-6706-D5F0-0446-9DFF 2. http://p27dokhpz2n7nvgr.14ewqv.top/A4EB-6706-D5F0-0446-9DFF 3. http://p27dokhpz2n7nvgr.14vvrc.top/A4EB-6706-D5F0-0446-9DFF 4. http://p27dokhpz2n7nvgr.129p1t.top/A4EB-6706-D5F0-0446-9DFF 5. http://p27dokhpz2n7nvgr.1apgrn.top/A4EB-6706-D5F0-0446-9DFF ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://p27dokhpz2n7nvgr.onion/A4EB-6706-D5F0-0446-9DFF

http://p27dokhpz2n7nvgr.12hygy.top/A4EB-6706-D5F0-0446-9DFF

http://p27dokhpz2n7nvgr.14ewqv.top/A4EB-6706-D5F0-0446-9DFF

http://p27dokhpz2n7nvgr.14vvrc.top/A4EB-6706-D5F0-0446-9DFF

http://p27dokhpz2n7nvgr.129p1t.top/A4EB-6706-D5F0-0446-9DFF

http://p27dokhpz2n7nvgr.1apgrn.top/A4EB-6706-D5F0-0446-9DFF

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Blocklisted process makes network request 5 IoCs

Processes:

mshta.exe

flow pid process

2181 680 mshta.exe
2184 680 mshta.exe
2186 680 mshta.exe
2188 680 mshta.exe
2190 680 mshta.exe
Contacts a large (1100) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

2064 netsh.exe
2820 netsh.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

832 cmd.exe
Drops startup file 1 IoCs

Processes:

cerber.exe

description ioc process

File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ cerber.exe

flow	pid	process
2181	680	mshta.exe
2184	680	mshta.exe
2186	680	mshta.exe
2188	680	mshta.exe
2190	680	mshta.exe

pid	process
2064	netsh.exe
2820	netsh.exe

pid	process
832	cmd.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	cerber.exe

Drops file in System32 directory 38 IoCs

Processes:

cerber.exe

description	ioc	process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	cerber.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

cerber.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp8DAF.bmp"	cerber.exe

Drops file in Program Files directory 20 IoCs

Processes:

cerber.exe

description	ioc	process
File opened for modification	\??\c:\program files (x86)\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	cerber.exe
File opened for modification	\??\c:\program files\	cerber.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	cerber.exe
File opened for modification	\??\c:\program files (x86)\the bat!	cerber.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\steam	cerber.exe
File opened for modification	\??\c:\program files (x86)\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\	cerber.exe
File opened for modification	\??\c:\program files (x86)\excel	cerber.exe

Drops file in Windows directory 64 IoCs

Processes:

cerber.exe

description	ioc	process
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	cerber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mshta.exetaskkill.exePING.EXEIEXPLORE.EXEcerber.exenetsh.exenetsh.exeNOTEPAD.EXEcmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cerber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

1076 PING.EXE
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1344 taskkill.exe

pid	process
1076	PING.EXE

pid	process
1344	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEmshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000c1b5808be4e6850b63caedf2c7d93169174bf4d0688c58bf3aacb3b372ca45f0000000000e8000000002000020000000927f21716933d82502b3e88439b117cf01f7ed327fd07e9bf2e20d8d0918e4342000000066bd10f7ca97195b83ea3b9f7e9c8ae0c2bd18f064223c538a645e97c3f175e14000000008dc9932428ae524fd520ef9b9f01184f5660ed9f765bec391904f6db8e7c15a49d0686cb5e490215185734139cea266ccf277a86657681cf4633069fce690fe	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00e43deea50ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf6000000000200000000001066000000010000200000006c93ce53b287938a429da83282b2f869b49fab245d2e40358ded12aaccca1191000000000e8000000002000020000000cdca284bfdd74be555413efe13f2d6cf5d41d35529127ffdf899a0c3d84b93ac30010000b1c04a6c86522a141185f3f5a3cfe0693d184f18eeeab03aa6b1f6f11ee1c29420a42b35b9a4a7e80f94d24ef4a1189a768c55ecb9dd03b327ccce702e83be3cf0f59b58016e8ea20abae9046f86880200e467b031305efacb622ffab3f65312d1f0c27dc9f67068805598a45dda119b9f743badead5d9eacad110a079ebc75616e7cb9623e16f37b1c776e74cdefbf414822247d57bec902ae2cf628cc7a6eca869b8f1089849e243f80b858f92a83d5ff5a3b57ad15aa4620581ee5bef8ec01479b3849a496822252d703a96ba3ab36a5171ba7542ec240b8ebcd5b0a10155c8be4620feb568243f57ab85e10393b3e30f80332972827cda8c431a30020a5302cf715eaf8069708f6fd39ad85fe78c9960df687c204e947dd63fb992963b63fdb30496e85af88b77f4b65e80e9ff37400000001133757f6bd916f1f9b4fc70b7bf0bc637464363f374da6fa5a9aea4e2fa9c244516ea850e63eadd8a57b8e5a14fbde26ae5ba36430822fde7c921b7407ac645	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf6000000000200000000001066000000010000200000001cd99a1c4a12fe6b2e0c58daea599fe76245240c160c0833a55274d82933002a000000000e8000000002000020000000979f74082b2df13de5cb9766b7b8b9aa396e5b794c16bc535a22f87b94fea4653001000056bceaefe1aa3dc0f96e24cfc7dd21a910f34500f4e8975b4b1db2adeb80431bdca04e6f9ad607efcba4f34a10e9ff26e75e4dba0992c8ceabd8d4c5dcb449ab76b3574ed5a7753fef7aced74bab2d7f39a37370125eb72b59bb3a7b0f11e8d077487ab30890ba8beada16dabe428d389eef68486ca2813e23e87c6d8ce81aeb9c9e3db56d75491cf11273a8cf05b371571aa1ca98934cf5fa0cb27a6ff558bc8bc3b435c7a785fa1e17ca31ff945e50bb355fe40b5c024828c77e9410f61a192ebc7cf0a36f5dde680ea47fade92dbae3f12b96cee14f3f75f1f8bfe9f6c13c5b8fb784a568007a490f01664236ea80bba46a622926f5245d92d50b576e2e76ce950a29618ec0e3a3a8990876ef469790d367da505ccbb6d99a7d6b592632fb12d9efc32837e2da18548a6e2d6a5295400000007cf7f9e06d447a6043f155a677bb1fc6c26e4760773846db9bfce93b3afd53258ff5faac5ce8e42b5dfee5b4f55fd89a1f9f619962e4f9170f3feff978a7b6e3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433250285"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{28398C41-7999-11EF-8318-F2DF7204BD4F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1820 NOTEPAD.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1076 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cerber.exetaskkill.exe

description pid process

Token: SeShutdownPrivilege 2892 cerber.exe
Token: SeDebugPrivilege 1344 taskkill.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

660 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

660 iexplore.exe
660 iexplore.exe
2768 IEXPLORE.EXE
2768 IEXPLORE.EXE
2768 IEXPLORE.EXE
2768 IEXPLORE.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

cerber.exe

pid process

2892 cerber.exe

pid	process
1820	NOTEPAD.EXE

pid	process
1076	PING.EXE

description	pid	process
Token: SeShutdownPrivilege	2892	cerber.exe
Token: SeDebugPrivilege	1344	taskkill.exe

pid	process
660	iexplore.exe

pid	process
660	iexplore.exe
660	iexplore.exe
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE

pid	process
2892	cerber.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

cerber.execmd.exemshta.exeiexplore.exe

description	pid	process	target process
PID 2892 wrote to memory of 2064	2892	cerber.exe	netsh.exe
PID 2892 wrote to memory of 2064	2892	cerber.exe	netsh.exe
PID 2892 wrote to memory of 2064	2892	cerber.exe	netsh.exe
PID 2892 wrote to memory of 2064	2892	cerber.exe	netsh.exe
PID 2892 wrote to memory of 2820	2892	cerber.exe	netsh.exe
PID 2892 wrote to memory of 2820	2892	cerber.exe	netsh.exe
PID 2892 wrote to memory of 2820	2892	cerber.exe	netsh.exe
PID 2892 wrote to memory of 2820	2892	cerber.exe	netsh.exe
PID 2892 wrote to memory of 680	2892	cerber.exe	mshta.exe
PID 2892 wrote to memory of 680	2892	cerber.exe	mshta.exe
PID 2892 wrote to memory of 680	2892	cerber.exe	mshta.exe
PID 2892 wrote to memory of 680	2892	cerber.exe	mshta.exe
PID 2892 wrote to memory of 1820	2892	cerber.exe	NOTEPAD.EXE
PID 2892 wrote to memory of 1820	2892	cerber.exe	NOTEPAD.EXE
PID 2892 wrote to memory of 1820	2892	cerber.exe	NOTEPAD.EXE
PID 2892 wrote to memory of 1820	2892	cerber.exe	NOTEPAD.EXE
PID 2892 wrote to memory of 832	2892	cerber.exe	cmd.exe
PID 2892 wrote to memory of 832	2892	cerber.exe	cmd.exe
PID 2892 wrote to memory of 832	2892	cerber.exe	cmd.exe
PID 2892 wrote to memory of 832	2892	cerber.exe	cmd.exe
PID 832 wrote to memory of 1344	832	cmd.exe	taskkill.exe
PID 832 wrote to memory of 1344	832	cmd.exe	taskkill.exe
PID 832 wrote to memory of 1344	832	cmd.exe	taskkill.exe
PID 832 wrote to memory of 1344	832	cmd.exe	taskkill.exe
PID 832 wrote to memory of 1076	832	cmd.exe	PING.EXE
PID 832 wrote to memory of 1076	832	cmd.exe	PING.EXE
PID 832 wrote to memory of 1076	832	cmd.exe	PING.EXE
PID 832 wrote to memory of 1076	832	cmd.exe	PING.EXE
PID 680 wrote to memory of 660	680	mshta.exe	iexplore.exe
PID 680 wrote to memory of 660	680	mshta.exe	iexplore.exe
PID 680 wrote to memory of 660	680	mshta.exe	iexplore.exe
PID 680 wrote to memory of 660	680	mshta.exe	iexplore.exe
PID 660 wrote to memory of 2768	660	iexplore.exe	IEXPLORE.EXE
PID 660 wrote to memory of 2768	660	iexplore.exe	IEXPLORE.EXE
PID 660 wrote to memory of 2768	660	iexplore.exe	IEXPLORE.EXE
PID 660 wrote to memory of 2768	660	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\cerber.exe
"C:\Users\Admin\AppData\Local\Temp\cerber.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2064
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2820
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___7BSDB_.hta"
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.torproject.org/download/download-easy.html.en
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:660 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2768
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___LIMC2U_.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:1820
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "cerber.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1344
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69c59bfa0e1decd056dbf48726de8840

SHA1
94f921859b7771a7adadc730c9f4269930eb98c4

SHA256
d985abc5469da696880c98913f18b38883a2558e95a87504a3c98935772d6a7d

SHA512
ba065b16c793e0ce5cc910c32ba17b3836f84fbb55ebe0b3955511ccd25dbd6baea8cc2cd4ba7969a7966e80475c186b9988636065ccb5b51f11069e50132008

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b8a728c1dc99f9abe299bac589361a1

SHA1
b84e17d7a9497562a4ce01752a0732775f81d4bc

SHA256
9a0d190b31b27543339202747f7b9e3c87ba13b382e6c349b6dcd7332dd3f71c

SHA512
f4695db76b22c83b038b378f6c72de63f1ce1e465fba9bd32dcd24817d2d5db2643e63deb69908c8f7ad1f9433c98faa20f78cdf6f07a4a3edc0e9f4e883bd0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41ab7d22ceb5ecffe26c2d0b9bfdf799

SHA1
9078d7c5af4b37447ebe40116d45e31f60b14c07

SHA256
f4105c6c49272e6392e8b1ea79e63575a0d23c3e742f22472aa1e8eca0b6ccf9

SHA512
4109efd6c1ea7914d4a45941d7d06c75591694c268c9b1721b6d2413d301286178d0e3747a3390ba83bc67e3b415ded3aee55df36737f958440e4f8f31aaab31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
337283af63d1af66d110f202918ec52e

SHA1
a510593a81c433e446255cc4dce2fa749ad95233

SHA256
c8518e62aa76ffbf858f512ff0dddd198a20dbc7466a10d838afdb63e292da57

SHA512
69bf4feb8f751bd118631f934ea6f8673206ce147969a460f8e95e55521c7957242b61df567cc5daf6d2c0e4d129a61acb06b0bd5538ea1575a1991d54ffaf6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c890bd892d9dd85cbd83e4c470834ba5

SHA1
9e0ffef5d1fbe5e0da796c6849d8ca829f7ee513

SHA256
5b6319ede655e7de83df88572a7a5e4bfef438991ef4c0b3867aaf0a9fce2183

SHA512
a93117a60812bd21931d1ac598cc188d0b9e2233f8f866fc74b4838293020ef960fc8d6826e3713e16e1a55245c7822eba9140a250a769c32ae9f5b6778fe84e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95979029728b180868947a7d2973b63c

SHA1
4d216d00dda71e86dd19dabfb7220e89c3c860bd

SHA256
985bdb39aa7a1e290be493e6a4f4fb40cf32e8f2bed92d664e9e6ba0b96f3a92

SHA512
b62f4aeed445fb416d6ac1b284e051ed576e400e44a49c5ffad0f62e4ef377876354024fb98f978299dcd583e0562cd61d123f7ce2887474e637c8b2f021780b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7704b598dd3945b07202fc5db79b174f

SHA1
d8023d4622e01d64d5bc09fb9bef9794f6761b61

SHA256
6eed01f37aa1ed2bb91a76d410592f2f68bbbc666a5c69247bf753dafa9ec5f6

SHA512
80f94f7595380b31d3a6a28e81b71f13146d0b40248a91218d1ccd03952427662d40b27a43a5d328debd7e2943e6f339c7c9000910ff0ea796e38d0ce59c2928

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da43b995a7d0db103252254bcfd1a690

SHA1
5197085ae0ea2330eb490b078f5834cfe2cf8d9c

SHA256
6f5d1e6c67d1896a730af7d6bd37f933e4736f7421c8de0fd3cc2c969afa7783

SHA512
ef4b8e1ec773688d7d41a5e519d051b1d0a9954cae173bde3a0b209fb99c50d2abe01a44ba07b73676d5938c916adcf66a42a0f81007dfdd14c8b22c9547bd3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93e6a5f0d329e6a6b5787616b02c45af

SHA1
472c7a8377fc622d4b17294687a86513e6ed37ed

SHA256
03659ca1708759a28207da2255788aef4052b734a398a238705d1af546bc968a

SHA512
6edd92e4a9bdb81a784910442a1262780ec82a4d4dc2957dc1274cbe7e9fb42bb99d278194d8ee060aab4d481056b15a1b79ee7c9e8af05fac83db6e621c6f5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2f9e4b0fd7595158a9d2252ded670c0

SHA1
9c495aa6ce54b75643e8ef76395f872a2b5520f2

SHA256
8549016d5ac0c1c9264e290d5c50d6c2368cf463c3d99ed834aa0e6b234c8acd

SHA512
e49927f671100c33a6bc869dd13cfa2d0238353f6df76ec1a22c7692420d54d5e383edadc53325b8abc3c5f6ed3c92e9d0912ef01666f0fd8ffc733cb8b96198

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c948931073cb9cab3b0830e055dfeadf

SHA1
464429d5cf1bc61513bb8d68511ee21503e939c9

SHA256
7b65f3e8d92286f83256fb9cb1f9a25ece6571150ae18e0dc6bba2d64dafc26d

SHA512
31ce74e84b4e61b8e7235c56269332f5edacd6e31ec21f373d51e2e88dc40ac0de87568267c913eb91c53fb78064f337fdda699e57a31cf236487e2c6d433f88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b441af9c3a6ac4870bdb852fce8d4e2

SHA1
a1ea19d1a5f22a98721aa0239ef5482d772319c6

SHA256
012668e2536728bedee09150b20716d0a99da01b45241f3fc60d0835f825c385

SHA512
3d4a51109af3a162f4ee4e30ded521dac725a4633252ba46c9da635f92caf9ea7a11e63e1c2e45cf5f807e69fc06a784712b5f68b40fe7c0ffc9edd4c8378ecb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42dac1bb25e5af335baa8e0b3cb6cccd

SHA1
65156db3e89e3dc63c4a4bb099d49ef3a46e0dae

SHA256
ef1a3089924a763da737fdab5a7b38b98cf47f224de713b0d3c90308f17a20fd

SHA512
195b307442d0b88ed6d58df90fef8f800fb2d0757254ff848ffbfb84e262ae9b54af3974d226a91752962056797e1b42bda23d02c5ba68ecbc620813f8de8566

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8f2bae3d817c4279de7fb2f8513b858

SHA1
96b806bc6a6483cdc2bd1f29fb1b409ea5412f3c

SHA256
a25148e51db1cff6e2284282d6f64de8dc5b57d9deacd8bbed49b216561372cf

SHA512
08c29fb2576bc9d75b3a1dbe6967f67d54f9523e9f82804ceef1c10bafd6ef8359ed66590b8083241cb1709097d8fe420c74780ec61e713c949df3760944ad8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
606def9d03880edf7b2e171ea9e248cc

SHA1
1e643146288240a7bb30268a0a77e102cdb47d93

SHA256
fee68f4e751028e216e0742c25ce6e982087b1feb4d3c3a5b3881f302e9fed8b

SHA512
c64e5e3069d43e5bc930aeb929ca0b34d31b31072316851be545a5c7600e1d10dd40018201dac692f8b6ca19ede56db3cff65a8e47665368aa3d35cfc58c8596

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c86e9c6514783d9ed75247c253fd1ff9

SHA1
c6ca31c5e5ef7160bda18499d19f252c3b35ccdd

SHA256
5de9e0ccb50534b54c95806258f581a8a1f7d09b9b03070237b7d952e6478486

SHA512
06c0708a964316560e25f964e7c2050d82b0588e1f6f08421ff9e16d3e6fbc60aca336d5880ed17401e53be204d6a6d999fab6516a513c675b4c069ccca7fca3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65532ad4ea0c8f1c8c597ff6e706eed7

SHA1
bcb38380833443bd2f6632e76648d14c474902ca

SHA256
721ec3542bc62728e5bede196a5f037fa22467b11c5b934aae230f0185ddf359

SHA512
fd150406e4d6ceb4fd7641e0c688674b45ab076e43ddb5a27923f6a8f6eee76c786f639322fcb39927330d6f190e8ba1e251de3f70f56909866efd7a7a8b44f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e262fbdb6904920bf4b9c10784f6c7a6

SHA1
07b4c8390bf386d034609ce90ec3e949358f284c

SHA256
8021e87c14f3d06114f397ba510b28a83c8e66e9d35af9b53a4aff5d2892ad89

SHA512
7f4b3549325ff9f87a151a76f074c84ae94ab3eb0517058974fa35419c791b3073d16064c4617f66cee32e6ebcedc837a298498be3388fac7963c9e078dc71f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
766f8c0ffa3d0de9f7d72ccfa09a2513

SHA1
b911b764731b7b74443fe79ae092a9f2da9f4fbb

SHA256
d9f129337f19b449065767dcf39f2f102f056dc39d857c916922697bc57d5b17

SHA512
dbb5474d21cb8536d33bd3d59a496eee4070ae9b40d2e8c9dde39493f577cf0b879f3b5bdc66c65625254f356b6283e568fafc1340b7475997896d26a7d20e20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47cf8f0743cfbd510efa35f4847bc4a2

SHA1
223985c7d18d9c5faa9e66ffab80cf3b7c81d4eb

SHA256
8257dc6f8bbe7ca3ce0c39ce5018fadab750ae171875ea6e226433a89f6f2222

SHA512
accc77926e7d067eb3392a939f54c842fb024b896ef6628e089c137728c924f7b119e7d5eaaf0778c04d11441140bd4ce8475ff46c65c8137678aa1ab29d3f57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eea8f31ce60e58c3f42bf0d6900af44f

SHA1
2f5ed1e4f66b34125e0dd204d178e85db1350e66

SHA256
74950b5e312af101314dccb775980f8cd908e1484ea079da4fef940c0752f501

SHA512
757a4e43f27701685b00b17eb4ada63490ccc9dc433e87b9802a7e0834da312256f1a44e89c979f8acb32b64e083bd98a5c6f1a98595fc167b0a4e9c316cbe3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6cad124d1e99c52a3df6378a2168339c

SHA1
ab9d9b965ad6d59d8cc7eb7205210c13a90ad7a9

SHA256
a7298e0d38434dd9d7610f5bc82b9c46141af5e41e03c0adbb922974072d297d

SHA512
d38900c1e70c092c0f3215089a6e92eda06c4c4a48eaf30fd9c01d2baef395537f1225cefc8efcac7825d0392c1fd4b5722bd8decece3a0bdd506a8113d9ae6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\gsz3hkd\imagestore.dat

Filesize
4KB

MD5
ae977449dae41ffe06d2cff5d5dad011

SHA1
34749a382f2328dfd1328b22e1535dd7537f6882

SHA256
506207c1355df14a739ed6d3f51e51be6738aa497e020bc7cbe32246179ca561

SHA512
d3ff43738acdffe50fa3179e17922afe55f09e97f5af0579a9b4764781c7607513863077e96ea0afb6a4449a412f5cb1df39613c71faa8218cc4fa34a31d1994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\bootstrap[1].css

Filesize
166KB

MD5
cfdae4e5800656dfdf24193b3f80fcc8

SHA1
2122cf07b24310951c4b8ed92290b652f241c538

SHA256
7e50c709b7734d4454f54e4a93e0e8f15f9cc9aceecc59f95148e899e36777b2

SHA512
be3c5a8ee12e79e26adc91ae688b2185f090de5bc2b2116461e2511c98da8baee4f4e0ea0bda1a2f7e9e6c3a336f02d0b3cf14d47fc8d9a9a13a1d6fd54e690b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\download[1].js

Filesize
431B

MD5
b70b1ed7c4c41f09b4cf0d194a4c0940

SHA1
caaadf8f271ea9283a28627a86bde3bff2b7db5c

SHA256
b4c2495baebb13c22b9907aa12cd7a0dd75418c530693dd99b5f337efda705ac

SHA512
1e422378ac30ce2a4f76bad432a796ed47e12be00cadd843e7330d0cb42d09994badc4292378aa52851f814f48a21ba538f70cdf28513062bfa50ef7750570ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\jquery-3.2.1.min[1].js

Filesize
84KB

MD5
c9f5aeeca3ad37bf2aa006139b935f0a

SHA1
1055018c28ab41087ef9ccefe411606893dabea2

SHA256
87083882cc6015984eb0411a99d3981817f5dc5c90ba24f0940420c5548d82de

SHA512
dcff2b5c2b8625d3593a7531ff4ddcd633939cc9f7acfeb79c18a9e6038fdaa99487960075502f159d44f902d965b0b5aed32b41bfa66a1dc07d85b5d5152b58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\popper.min[1].js

Filesize
18KB

MD5
6cd956453e307bfd2ce4bfb0648b9f7d

SHA1
a43367193adc1258902e5b68ad0cda6cf0f9ff8f

SHA256
625b022a42ed5d9c39911e42050f4fd9834ea039af978b7716f7800ade95eb55

SHA512
424b469ed5023a9a7ddbb28cd6b6ed10310da52c7089e656a5dba723be520aca5f43ad5b6749147fc8dd712c77a17f907ec58a52900515c02352b423f1abee4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8452S9S3\bootstrap.bundle.min[1].js

Filesize
67KB

MD5
85bef1b86b877db4b17ea8bae3eb7cd3

SHA1
46d1f82f1ff4224130c6153a8a6db457477b7097

SHA256
4490f15bcd903912985c78ba0b1d4abbc94f7eec240c8050685676d071b13d74

SHA512
88ae341fa16b5cc6b8558e88eb2d8c1e7cc309c3226cf403de6c13ff7fbb33562b916e2ebd32c31338c5bdad1cd2acae11b586ff5de86c0e9b2289886b249d71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8452S9S3\scrollspy.min[1].js

Filesize
6KB

MD5
dbd2b17a490f739d502e017507d1fdd1

SHA1
0267413204b930bc48034612eecacf89864ddd93

SHA256
1357558a930a31b2e6586c19889f937768c8812090f0f93bfc79e169fbf20f80

SHA512
8d45a2c4cfbbd6d1bd0c2a6770364458a9e2abeb0ace38453947dbf17665812d1767c6ec5bab5f5cc9fa584364dec4be4df4aa2af5692bf7982a36e6fe7cad10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\SourceCodePro-Regular[1].ttf

Filesize
117KB

MD5
43bb4cbf1d0ecfdb1309e4cb67264f35

SHA1
8e2a0661a04da779060c84de427d74bf1fac24db

SHA256
2967dd73df838d2a2d390a638c6d7cfe9cd60c5ee2e162d8a1c10a70ea742b5c

SHA512
24962c5cf4eb03ecfe5a7df870c8f2688369c26536ad31c0ab993bd5358747d981035016c93da8c34900bca82eda5d143eb2e44e14de75f5b9faaff832a89d7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\SourceSansPro-Light[1].ttf

Filesize
285KB

MD5
ee2a11b8055d665afd2ac1d818683ffe

SHA1
005ef2958f43952ec1e46ae010427cde7914ce2c

SHA256
5705ecafdaa64d8af74d0c03f89272a65cfee9f7e62b55016a8dcbe4a69b6f86

SHA512
2e9fd0558717b954ee73848c95c7f5495f4c907192ba33c2f2a615621dc9174a3f544e44cbdb086716b48b993b724e81484305eebf0c69666ea48919e3476e3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\fa-brands-400[1].eot

Filesize
130KB

MD5
877baf6278a6f1506a07afd23b334f47

SHA1
8c9cb59343a2ae9f1ba75c5583f8016a20fc7cf2

SHA256
c563adbadc5eafb6708b610268fbd393d59ae41e220aae5aac99ca2d45a6e151

SHA512
657c645f2aa4c159cfade0b863805cb597d366721648fe2b067d5ac2bfcfa402dd8a977c9f208ba4138dc574eb6eede5a2b8131be3dcdb3bed8e9b4d5c464396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\fa-solid-900[1].eot

Filesize
203KB

MD5
f9103ae53b2dbcb0a14605eebc90a2ce

SHA1
e1c3f21ce3544c898dc5262f5c2ef4d84bd28bbc

SHA256
c141af323058f12f8b0bc760162f9928f6a415fa04940b486fdb4086284e6ecf

SHA512
87af8a8d845034977f7c87430e9062bf397673ac35487e6851ec0909bedf1732d7f9c618ec50b6e57b439561d4220fc6ea7f197848c971dd20a136c810e2fdc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\fallback[1].js

Filesize
1015B

MD5
973fa23c86e39f3f80f2bcca267bd68a

SHA1
8a716acdcd9bea3152ad58300e8fa4b3def399a0

SHA256
154b6384fd1042f3c7469da149e57c750ffab7ee4b875384b6fd3e97744a7838

SHA512
39ce6151d918d37ee29390eb422d77812444e80fab0c7041a40128710ff590f6fdff36fe85f8c78c039e41e7ef2d7156fe8efa1e7c078053b9ffea0c15b35b79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\modernizr[1].js

Filesize
3KB

MD5
625b8b4c0aaf7e062c742064e3b153a9

SHA1
9a7f06095cca8ec31eea70538e36511709c611f6

SHA256
27ea70b9bbf44277d19309f8361399fcfbba338e798c4d809c3b7f3595676667

SHA512
c759ecbc60d0241bde7fd08c9c5fb93e5956503066caff384a14cb9081d503cbb341bcb15c68dc32d3e979050f4c71d7bb1bfe9faf8415feb1e3b0518da34eb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\SourceSansPro-Bold[1].ttf

Filesize
284KB

MD5
0d9b62a03206f739cd34b2936a5929f1

SHA1
f5cad74e9791d2ef725f9ff5d53216cfff4f3678

SHA256
da4f442e66843990825ed4757e27ad3442cad83f9844cc503e8ece85e00f77f2

SHA512
d3738085d8f4891bf1a475a52108a4298b07c8959100e32d1c79038af8b39c182e45fb9d531dd75f7bd2a514d70cf808649dce83d3558be236c74160923ff794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\SourceSansPro-Regular[1].ttf

Filesize
286KB

MD5
5182da425f811908bed9f5b8c72fa44f

SHA1
17c25475c0369f7f8c8462af9cf127a4cf6f1332

SHA256
71d10a86b4c54a5a9c0c8b467e53ac67d79edb96c956e4e9f65a7074dfb9992a

SHA512
cf37ee1e2c3574de5819e5c5328ee010832987750a3cdc0bc43f102c3bdafd3993a9984c8d51f66b18198e80049c0323fa2f8f692025d8947f9580eda6a7a5b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\all.min[1].css

Filesize
52KB

MD5
b8085bf2c839791244bd95f56fb93c01

SHA1
9d272f6a226adc587b4c3e470cc146edd8c92f75

SHA256
453893f7daa3d8fe9716f8c6d0f36f8ade8cacfc0093e164f4f998b46427959e

SHA512
071423c79d846bfb1a9ca8c9e36e8f021c5027804f7da86249bfe886d67622982b739c326934a04f03e1859ff10baeafbe0f8de2aa030f58f455c240a814e385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\fa-regular-400[1].eot

Filesize
39KB

MD5
ec813c5b36705e64ba121073b315cb52

SHA1
3ec6adaa99c992445ad6c415b7328ad686424b30

SHA256
6e70525bb429041c5ec84a81cf4733303cee90966809ed255741fa50e123ae47

SHA512
2d896211251db05dd1d3311b3b9ec9ebe572a72f4edd7d63cb847a4c314aa54ef34c17ac812525775c275abe4657413d404699b51f64b0679e5844197a07f712

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\favicon[1].ico

Filesize
4KB

MD5
d7c21b4951bd432d06f0059c63130f19

SHA1
4e4ad2cec14a4b7c95162c247a7c7ca5621e6569

SHA256
7c2a800bab2c088ba8a7af287d440433bca2bc880be2fd3eecf6ad7aa90a075f

SHA512
09b185aa070f8cbb54ae5a4b49ea3e1208212caf2d8f76c05a651381f470b91345e13ee2e94e73ca35db14493d702f4c1ca5b8732cabd1cd2e689a8cd667fbd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabABEB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarABFD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___7BSDB_.hta

Filesize
75KB

MD5
0fae8a0294f75156f966ce680137c3ac

SHA1
aa582389ef24ab0b7e7c5f0694671f9845ba8d2e

SHA256
1d426da24579b252b9f8523121ad2a5a74f69c834f25c37e49d6536ad3ef5e65

SHA512
12bf05041555c364197e7820690eb344e149f6f8cc5fd74ff3535a6529dad0af6f9289da4c9cda04fd24cd638622e362543af9a07a195b1e8752c4f4536fa20e

Download Submit
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___LIMC2U_.txt

Filesize
1KB

MD5
f2f88126202674394948156d07c216f3

SHA1
1f8e789c5b605760091ff4e647a02cc177e1da5d

SHA256
e287f8891139d84011be3ed0211b3e6a6a5d4b7d6ec35fede88aa45f40e1bf23

SHA512
6be4fad340db4e7f5dec6fc2d7eee414cfbbc8e57d0908f8ec9caa626129d11e9e638c3a21ad3f3efa4001bc50ac48d4dd3a2d211716cf0d0374ea2f2e7154cd

Download Submit
memory/2892-0-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2892-115-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2892-98-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2892-92-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2892-5-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2892-2-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2892-1-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download