cerber | 28cc4a9984a25cfa560e945da3f172fbda9ad081aeee88a2ab626db8885e0776

Resubmissions

28-09-2024 23:39

240928-3nsyrs1dnj 10

23-09-2024 12:03

240923-n79naswcml 10

Analysis

max time kernel
58s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cerber.exe
Size

604KB
MD5

8b6bc16fd137c09a08b02bbe1bb7d670
SHA1

c69a0f6c6f809c01db92ca658fcf1b643391a2b7
SHA256

e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678
SHA512

b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24
SSDEEP

6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01

Score

10^/10

cerber discovery evasion persistence privilege_escalation ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___HW6ZUUU3_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/28AF-96F9-1DBD-0446-95CE Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/28AF-96F9-1DBD-0446-95CE 2. http://p27dokhpz2n7nvgr.14ewqv.top/28AF-96F9-1DBD-0446-95CE 3. http://p27dokhpz2n7nvgr.14vvrc.top/28AF-96F9-1DBD-0446-95CE 4. http://p27dokhpz2n7nvgr.129p1t.top/28AF-96F9-1DBD-0446-95CE 5. http://p27dokhpz2n7nvgr.1apgrn.top/28AF-96F9-1DBD-0446-95CE ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://p27dokhpz2n7nvgr.onion/28AF-96F9-1DBD-0446-95CE

http://p27dokhpz2n7nvgr.12hygy.top/28AF-96F9-1DBD-0446-95CE

http://p27dokhpz2n7nvgr.14ewqv.top/28AF-96F9-1DBD-0446-95CE

http://p27dokhpz2n7nvgr.14vvrc.top/28AF-96F9-1DBD-0446-95CE

http://p27dokhpz2n7nvgr.129p1t.top/28AF-96F9-1DBD-0446-95CE

http://p27dokhpz2n7nvgr.1apgrn.top/28AF-96F9-1DBD-0446-95CE

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber

Blocklisted process makes network request 6 IoCs

flow	pid	Process
2181	2532	mshta.exe
2184	2532	mshta.exe
2186	2532	mshta.exe
2188	2532	mshta.exe
2190	2532	mshta.exe
2232	2532	mshta.exe

Contacts a large (1101) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2816	netsh.exe
2736	netsh.exe

Deletes itself 1 IoCs

pid	Process
1932	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	cerber.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	cerber.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp935A.bmp"	cerber.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\microsoft\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\the bat!	cerber.exe
File opened for modification	\??\c:\program files\	cerber.exe
File opened for modification	\??\c:\program files (x86)\	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	cerber.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\steam	cerber.exe
File opened for modification	\??\c:\program files (x86)\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	cerber.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	cerber.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cerber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1820	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
712	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 302be4e5ff11db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b000000000200000000001066000000010000200000006c23b16c11d6772d25abbcaa7e3c5fb13db07bf73cb36b3caa59d23d799815af000000000e80000000020000200000002725af8dbe59148e29f5052903aca6244ccb4960271e7d82c9f0ef2e77794e8f90000000e3e5d2a767d275cc0ea90a25eb8f66dbad05a178b5162e0fd1dbe49e7d6f0f2c583e6d0d210e77c24508bb35512b52ee1142bba04ea65426a6cf247e9a71c34610eaf054e3303925e42ac3e2b9f18571e144828612c0de3901af8c23d6678adfa18b6002eeb9ae95eb8dd11f660c1ceaeee5c8bdefef2bfccd391caf1e84049793fc0a8b0328ce81d774e30f81aae8ab40000000f7486e5eb3b988f07e9d0a8307183446cc724ee08a73182b4d19b982a8a0caa8f2c3da15a51ef04d6dde93d5b61bb558be24ea707cb35321b96fd2a8bd3c361d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{10B32EB1-7DF3-11EF-B6CD-7E918DD97D05} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000f9520ca24531e553b6c6dbd5d723033a763cafae9eb59346ba1d0ffd4f7e8d7e000000000e800000000200002000000056c905eb71268bef70c0e8b449ece861df264c7ae7189dc7cf05b68d3294473e200000000e6af52ec5b6cc94347a9e074294ae9fd74b7d96247363f0eaf687ee3051aee2400000007c03c71132de42c33e0d8b3b43b1a673283938e86af07bab7a7305a709a095e2e075bed63858bb2a7d68b75b229628ae8671705eaf18e7a1b0f599fbba66c008	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1624	NOTEPAD.EXE
2524	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1820	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1980	chrome.exe
1980	chrome.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2216	cerber.exe
Token: SeDebugPrivilege	712	taskkill.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2104	iexplore.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2104	iexplore.exe
2104	iexplore.exe
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2216	cerber.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2816	2216	cerber.exe	30
PID 2216 wrote to memory of 2816	2216	cerber.exe	30
PID 2216 wrote to memory of 2816	2216	cerber.exe	30
PID 2216 wrote to memory of 2816	2216	cerber.exe	30
PID 2216 wrote to memory of 2736	2216	cerber.exe	32
PID 2216 wrote to memory of 2736	2216	cerber.exe	32
PID 2216 wrote to memory of 2736	2216	cerber.exe	32
PID 2216 wrote to memory of 2736	2216	cerber.exe	32
PID 2216 wrote to memory of 2532	2216	cerber.exe	35
PID 2216 wrote to memory of 2532	2216	cerber.exe	35
PID 2216 wrote to memory of 2532	2216	cerber.exe	35
PID 2216 wrote to memory of 2532	2216	cerber.exe	35
PID 2216 wrote to memory of 2524	2216	cerber.exe	36
PID 2216 wrote to memory of 2524	2216	cerber.exe	36
PID 2216 wrote to memory of 2524	2216	cerber.exe	36
PID 2216 wrote to memory of 2524	2216	cerber.exe	36
PID 2216 wrote to memory of 1932	2216	cerber.exe	37
PID 2216 wrote to memory of 1932	2216	cerber.exe	37
PID 2216 wrote to memory of 1932	2216	cerber.exe	37
PID 2216 wrote to memory of 1932	2216	cerber.exe	37
PID 1932 wrote to memory of 712	1932	cmd.exe	39
PID 1932 wrote to memory of 712	1932	cmd.exe	39
PID 1932 wrote to memory of 712	1932	cmd.exe	39
PID 1932 wrote to memory of 712	1932	cmd.exe	39
PID 1932 wrote to memory of 1820	1932	cmd.exe	41
PID 1932 wrote to memory of 1820	1932	cmd.exe	41
PID 1932 wrote to memory of 1820	1932	cmd.exe	41
PID 1932 wrote to memory of 1820	1932	cmd.exe	41
PID 2532 wrote to memory of 2104	2532	mshta.exe	43
PID 2532 wrote to memory of 2104	2532	mshta.exe	43
PID 2532 wrote to memory of 2104	2532	mshta.exe	43
PID 2532 wrote to memory of 2104	2532	mshta.exe	43
PID 2104 wrote to memory of 2880	2104	iexplore.exe	44
PID 2104 wrote to memory of 2880	2104	iexplore.exe	44
PID 2104 wrote to memory of 2880	2104	iexplore.exe	44
PID 2104 wrote to memory of 2880	2104	iexplore.exe	44
PID 1980 wrote to memory of 1044	1980	chrome.exe	47
PID 1980 wrote to memory of 1044	1980	chrome.exe	47
PID 1980 wrote to memory of 1044	1980	chrome.exe	47
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48
PID 1980 wrote to memory of 2244	1980	chrome.exe	48

C:\Users\Admin\AppData\Local\Temp\cerber.exe
"C:\Users\Admin\AppData\Local\Temp\cerber.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2816
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2736
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___7UNZLG5Y_.hta"
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://p27dokhpz2n7nvgr.14vvrc.top/28AF-96F9-1DBD-0446-95CE
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2104 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2880
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2104 CREDAT:799753 /prefetch:2
      4⤵
      PID:2652
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___HW6ZUUU3_.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:2524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "cerber.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:712
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef68e9758,0x7fef68e9768,0x7fef68e9778
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1364,i,3664842813366162049,6973290973207799732,131072 /prefetch:2
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1364,i,3664842813366162049,6973290973207799732,131072 /prefetch:8
  2⤵
  PID:304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1364,i,3664842813366162049,6973290973207799732,131072 /prefetch:8
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2324 --field-trial-handle=1364,i,3664842813366162049,6973290973207799732,131072 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2348 --field-trial-handle=1364,i,3664842813366162049,6973290973207799732,131072 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1404 --field-trial-handle=1364,i,3664842813366162049,6973290973207799732,131072 /prefetch:2
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1236 --field-trial-handle=1364,i,3664842813366162049,6973290973207799732,131072 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3436 --field-trial-handle=1364,i,3664842813366162049,6973290973207799732,131072 /prefetch:8
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3556 --field-trial-handle=1364,i,3664842813366162049,6973290973207799732,131072 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3860 --field-trial-handle=1364,i,3664842813366162049,6973290973207799732,131072 /prefetch:8
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3960 --field-trial-handle=1364,i,3664842813366162049,6973290973207799732,131072 /prefetch:1
  2⤵
  PID:320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3740 --field-trial-handle=1364,i,3664842813366162049,6973290973207799732,131072 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2448 --field-trial-handle=1364,i,3664842813366162049,6973290973207799732,131072 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3848 --field-trial-handle=1364,i,3664842813366162049,6973290973207799732,131072 /prefetch:1
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2420 --field-trial-handle=1364,i,3664842813366162049,6973290973207799732,131072 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1252 --field-trial-handle=1364,i,3664842813366162049,6973290973207799732,131072 /prefetch:1
  2⤵
  PID:568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2384 --field-trial-handle=1364,i,3664842813366162049,6973290973207799732,131072 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=1724 --field-trial-handle=1364,i,3664842813366162049,6973290973207799732,131072 /prefetch:1
  2⤵
  PID:1152

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2252

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___7UNZLG5Y_.hta"
1⤵
PID:2080

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\rnLHtlM-YU.903d
1⤵
PID:3036

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1364

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5e0
1⤵
PID:1752

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\_R_E_A_D___T_H_I_S___BAVPCQ0_.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1624

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Documents\_R_E_A_D___T_H_I_S___MONU_.hta"
1⤵
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
991fa27ffd9fe33dd5892002dc21e524

SHA1
193c47ed290ab20771403eed0d5cbf31fd8d165e

SHA256
7327752f5e0a8c67195c071d4ff1bdd1c318da7c1f0b754930cfae5ca6cb8f40

SHA512
553f3ad9d09026e0ad2457130921f3e1e2ee7fc65d2af34945d895650b1bfc1a8cd43ca9bac8782f3d8e0a4090f1e56d1b5fb89025a6c57a26227c3b697e050e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0e7b2731c2cd5abde90ecfbaa041ae0

SHA1
f41a783d797e76753c26cfcb1c631c81e4169723

SHA256
db5208b9c74a0b499dfee5c44f54fa72a5463aebcb584af14d8516846502efef

SHA512
2614226568eef0aaf7c40e5b83cbfeeac6559ffce12352e26e27bc96348d457885ca57d93df07a266e5ce7e47579ae572421d1f6c84f5cc745807802edcdcf7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00fd6c108d3735a1104c48f86549af0a

SHA1
79d371b92f6df0b7e8a6a44d7806c6e7ca5b8ad0

SHA256
0a63d6840f81545cfe293d794b5cf25293a8c0fb5f5a4fb01e02303f0777a78e

SHA512
9526a7145ad9ccf5c87f646bd0c92628dde17199afa200ea869c82c8c85b5575eb554898ccfca3820c70ae772f6260f61cba2df69574c058d6403c5ea609b1b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afe13e1ebf0a1ad2110123ddd6a05ceb

SHA1
dd82eacc1e2a0eae602c2fb01343b450c81fdc64

SHA256
bcfa3e79a52a6ff185c957f4e78a0d514087c4e66ddf950e28b8de5b1bfbf3b8

SHA512
43da4dd8e55b86474783082d06b4d3ff65c367039673fc2a934db97c107d9e65a0f3cc6f8ca0123590f5f19e02fd7eb09ecc0309fd29d840ccd64cf2e9f2ade6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db463c6c6fad6625d472a3efd8da98c4

SHA1
07b26da17a584b942170dc16e413b8a8c5ea490f

SHA256
014e466e7ed7f87c927df284abfd25349ee6d15d5144d418afb176e926a823ca

SHA512
1949dde1760dea90cee8f5e5b42f9ffee14f854ab2ad089e630938cd5b5cfe3f1ac6f0109bdc9858ef4233f8924de109bc1d3d996bd022ea8f710b5f76f4ed21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a98032aa1fc2268513113be67b2ab56

SHA1
341fe305e9206252cc50b4e738c62a12e4ec285d

SHA256
49165b6e48ff4691d648a53c1bb377f114f6816d05bdbd96c3e6bf0c562beeb6

SHA512
995149f01edc473b029158f011279278f92a297e45ec36e194ee2c9d0cdde99717d970f4ba83db5fd88ba11d03c07cabfdee687fb7a2d7c5e71ce8a55ed5c184

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e378acd98d5ea53f94696f72b3eecb70

SHA1
24173c9fffbdf8ac9bba7768a7448d099d3545da

SHA256
b5e8c93e9fc650f3a5ad69aa09984c7d21677967d7dfb1608c34353e64275317

SHA512
b1fe98f69525c1b341b438aa159497a568407302cfef1eb2d89bc0eaff288b18cbbc1028bb7ed496253986a7b33ea5910f3fa9692ebaeee9c085256819522cc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
daaac35f490bb31b38660192f4bf8084

SHA1
6ff1f0c7ec3674c9f57ade01609e138c8b32d0af

SHA256
1f1aa8148722b06c61f29512472b82b648e09bd5a8cc232c1fc5a758ae29f37d

SHA512
217bb2c580b754f6b11043b248ce1b1910cc83f9234301f695393b39ecd387208eb3426db0023daf414e18bc0d21a46d0e2e19b9e6a1dd5dc2e2ef72dc06f8c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8bacb17e26e32249df3b2de087c23ad

SHA1
c887bf827b843983a2a076ab9d9f91a208d61ccf

SHA256
8d1dca3ac204a6a2f8e25206548693f8829d084e199752ce83ebe4c431f1acbc

SHA512
46a8d9eb38b24f0a6fb619e39ba896e9c5ded27caeda3c4a1876fb98d578ea50bbf3cdda986d63a4ad7719234f935dc537e7bbec9bacf6ee3a16516c512819ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e00c1b67cee2770d43a487c35e276e49

SHA1
427b8786bd5543cdfa6181577ddf2ac6ffbd3c2f

SHA256
1cd9c4eb7e46cc15c3b4e2f01cd6f71a3f843108bd66f408b1d33fed20c3ddbb

SHA512
eb70a3f00b68444a06a00edb68868d64e40ac43fb38c777b770dda7e19051d9ec3ab7da7ee99a7d59e710f3b681303b2e0deb802049c2fb584ec1e4dc5858f82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca21320f07b37be49d87ca26f5cc02e2

SHA1
e15482661863b8c08c72aded0a26b0f4403519d8

SHA256
fb6ff884868122e0e7893fd2f3f2cf7a39e7aef37522b7f75291142c706b463f

SHA512
0bcfd7479059bd42a9d0454f73bfa3b98c909535faa57a1fb587446b68f718c94255cc6029a9e6cbfd99556a805122037b43718f7391a55ac88f554d2a118ee9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e4e1605d3370df4a29144532e4c24a9

SHA1
da8e5daeac012f4b25cec7798c39d77d59394fe5

SHA256
319b79f3f2389d2ae9fa8f5d49eed09d0254c08f8368078c1ca6e28a1b6dd13b

SHA512
eddc9dabba3782a46466a76ef90604ec3b21aafd1d6519ab4f27bd1e3cd7f4788ea95444d01c90d0dc1d1407107a1e0eec464b760dc07f420d4fca071a9cb6f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
d2092d408f932fc862cb581ee7581966

SHA1
f0d4f933f86c53cc8905988007ae6f702017a1a6

SHA256
50ca24b517b8c1a92e156698b5b31af72c63a4c852978f15952eaffc4259c861

SHA512
709d034d2b96a776fb70787bd12074db6159b007f3193e3775326d29dbcdba731395b2ccf5e9b190769cd993bd4e486615b80981e70e99d6668a47a03b6d0151

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
462de210197f9d02c46592669d695d99

SHA1
c63ea1e2f971e6b15bc9046824314b6db0ccedc9

SHA256
5500c32ec47508fd9514c12d300059f4d7498542f383eebf0605d6a9e0f6fb9f

SHA512
9a2ec3affea5226c0c914deccf92cf67f5df4b60447cd89fdac8b7e44304af78d4f81b410088b8f6298b09faab85135d58e2dde1e42811c9aea26308d19fd912

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
e687dd7b5f0cdbae2d05d47ff938f337

SHA1
68bd45679fe3d03974080f7a5596ac47cafa9fac

SHA256
1d53a54a44f65657581a99f4e4eaa2591ffa11be49bd099a5baed940eb9e159f

SHA512
0732863574a3c76b5f4732ee508c544abfdf24918f2bfc9d9f7d558fc5d56db89a1b50d17d2e2dc6901513e2cca3eea9a7bcb61da67135e7c6c058927f8d15d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
6f0834d013d098234049643fbf95edaa

SHA1
b4f932cd564a0d058bdc21be8fe4d7870169308b

SHA256
72c1b15eb969c4a57bf62f0f02d4c8cde61b0bd61cf25fa03d0cba1f1435f84a

SHA512
32a79d7a619c8f0ffc31c56ac38ae56ebe61498249b91bd9b505a3797e86c7c908dfecd56c82532627fc41a0c8cd76931cedbf09a4b78ec1b8c3ecabdaf905f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
97d5e5ffbd7db9a5edd8f14108d43268

SHA1
a0e77ba27528a934f9344c55f44539ea44ba00b5

SHA256
65c5601cdfdd37563526baedf001202157fa918fda8b528260d2aa60eaf7aeee

SHA512
71a3d666a7633f64bc0eef6a5a5cf68822fbbc7075e7a76e95e9d2efb9f4cf86577b177675c4bd621b9e09e23c3079c16bfd134697b9b66272960b28b741e786

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBAC9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBB0A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF2FD476254B3804F1.TMP

Filesize
16KB

MD5
402b81eda7ffd950014ee0693005b88c

SHA1
686a917c95049c61aefe974036f8afa2a5fe4037

SHA256
9dbdfc704959af585af9e7a2b807570c40fca84c0c82092425176d5e41d3be08

SHA512
5e7e0cb52648e7431417546008e196745acb94f7907b199d2fe334b253cafbc262f29faa6f1dee34557952bad36b7a9afa4c6543e99655480881606da6db64e3

Download Submit
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___7UNZLG5Y_.hta

Filesize
75KB

MD5
f369aebbdcd6e14496506487430a536e

SHA1
9d90aac1bb189be009b9fd7194523f451bb86366

SHA256
011a538b04a7b904631eea68934f8c5ac44cc466ef3ec2aff26df646726fe3c6

SHA512
ea4ad72048677be1d5cee5c1ade659570fa7a9c08d1619b9ce14d179efc33ba6e2ee93f89fe02afca8a37b4f3ddf4fd366fbd4dcddbce51411515884677508cb

Download Submit
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___HW6ZUUU3_.txt

Filesize
1KB

MD5
1c088c80730f120cb325c485d433d930

SHA1
7a8d40ac6949ab0a75f3dfc76e7c4bbbaa3bd0b7

SHA256
772d78bc2b61553155f6271945e303e522b60144def3777ec2f05d7eb866ea7a

SHA512
4f8ef4653df281055ee26a134b4c0be51223b72ec0270a6da32556230d41ea861d959085268af5c2b93fc1e046dd48d227bebd4cc97e18ff50508132025071fc

Download Submit
memory/2216-1-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-101-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-5-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-2-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-0-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download