cerber | hxxps://github[.]com/orangegrouptech/Biohazards-from-orangegrouptech/raw/refs/heads/master/Ransomware/Cerber%205/Cerber5[.]exe

Analysis

max time kernel
158s
max time network
159s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
27-12-2024 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/orangegrouptech/Biohazards-from-orangegrouptech/raw/refs/heads/master/Ransomware/Cerber%205/Cerber5.exe

Score

10^/10

cerber discovery evasion persistence privilege_escalation ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___TLGHTWZ_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/FA5F-218A-53D8-0098-B005 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/FA5F-218A-53D8-0098-B005 2. http://xpcx6erilkjced3j.19kdeh.top/FA5F-218A-53D8-0098-B005 3. http://xpcx6erilkjced3j.1mpsnr.top/FA5F-218A-53D8-0098-B005 4. http://xpcx6erilkjced3j.18ey8e.top/FA5F-218A-53D8-0098-B005 5. http://xpcx6erilkjced3j.17gcun.top/FA5F-218A-53D8-0098-B005 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/FA5F-218A-53D8-0098-B005

http://xpcx6erilkjced3j.1n5mod.top/FA5F-218A-53D8-0098-B005

http://xpcx6erilkjced3j.19kdeh.top/FA5F-218A-53D8-0098-B005

http://xpcx6erilkjced3j.1mpsnr.top/FA5F-218A-53D8-0098-B005

http://xpcx6erilkjced3j.18ey8e.top/FA5F-218A-53D8-0098-B005

http://xpcx6erilkjced3j.17gcun.top/FA5F-218A-53D8-0098-B005

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber
Contacts a large (1108) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5400	netsh.exe
3028	netsh.exe
5156	netsh.exe
4284	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Cerber5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Cerber5.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	Cerber5.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	Cerber5.exe

Executes dropped EXE 11 IoCs

pid	Process
3840	Cerber5.exe
116	Cerber5.exe
5132	Cerber5.exe
5196	Cerber5.exe
5316	Cerber5.exe
5336	Cerber5.exe
5544	Cerber5.exe
5624	Cerber5.exe
5648	Cerber5.exe
6104	Cerber5.exe
6136	Cerber5.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\y:	Cerber5.exe
File opened (read-only)	\??\n:	Cerber5.exe
File opened (read-only)	\??\o:	Cerber5.exe
File opened (read-only)	\??\u:	Cerber5.exe
File opened (read-only)	\??\w:	Cerber5.exe
File opened (read-only)	\??\x:	Cerber5.exe
File opened (read-only)	\??\n:	Cerber5.exe
File opened (read-only)	\??\u:	Cerber5.exe
File opened (read-only)	\??\i:	Cerber5.exe
File opened (read-only)	\??\q:	Cerber5.exe
File opened (read-only)	\??\p:	Cerber5.exe
File opened (read-only)	\??\s:	Cerber5.exe
File opened (read-only)	\??\a:	Cerber5.exe
File opened (read-only)	\??\u:	Cerber5.exe
File opened (read-only)	\??\i:	Cerber5.exe
File opened (read-only)	\??\n:	Cerber5.exe
File opened (read-only)	\??\z:	Cerber5.exe
File opened (read-only)	\??\k:	Cerber5.exe
File opened (read-only)	\??\l:	Cerber5.exe
File opened (read-only)	\??\r:	Cerber5.exe
File opened (read-only)	\??\q:	Cerber5.exe
File opened (read-only)	\??\y:	Cerber5.exe
File opened (read-only)	\??\p:	Cerber5.exe
File opened (read-only)	\??\j:	Cerber5.exe
File opened (read-only)	\??\m:	Cerber5.exe
File opened (read-only)	\??\m:	Cerber5.exe
File opened (read-only)	\??\p:	Cerber5.exe
File opened (read-only)	\??\q:	Cerber5.exe
File opened (read-only)	\??\g:	Cerber5.exe
File opened (read-only)	\??\s:	Cerber5.exe
File opened (read-only)	\??\j:	Cerber5.exe
File opened (read-only)	\??\h:	Cerber5.exe
File opened (read-only)	\??\k:	Cerber5.exe
File opened (read-only)	\??\a:	Cerber5.exe
File opened (read-only)	\??\o:	Cerber5.exe
File opened (read-only)	\??\p:	Cerber5.exe
File opened (read-only)	\??\q:	Cerber5.exe
File opened (read-only)	\??\v:	Cerber5.exe
File opened (read-only)	\??\w:	Cerber5.exe
File opened (read-only)	\??\z:	Cerber5.exe
File opened (read-only)	\??\j:	Cerber5.exe
File opened (read-only)	\??\b:	Cerber5.exe
File opened (read-only)	\??\v:	Cerber5.exe
File opened (read-only)	\??\i:	Cerber5.exe
File opened (read-only)	\??\j:	Cerber5.exe
File opened (read-only)	\??\m:	Cerber5.exe
File opened (read-only)	\??\p:	Cerber5.exe
File opened (read-only)	\??\u:	Cerber5.exe
File opened (read-only)	\??\x:	Cerber5.exe
File opened (read-only)	\??\v:	Cerber5.exe
File opened (read-only)	\??\r:	Cerber5.exe
File opened (read-only)	\??\i:	Cerber5.exe
File opened (read-only)	\??\h:	Cerber5.exe
File opened (read-only)	\??\l:	Cerber5.exe
File opened (read-only)	\??\x:	Cerber5.exe
File opened (read-only)	\??\z:	Cerber5.exe
File opened (read-only)	\??\n:	Cerber5.exe
File opened (read-only)	\??\s:	Cerber5.exe
File opened (read-only)	\??\m:	Cerber5.exe
File opened (read-only)	\??\j:	Cerber5.exe
File opened (read-only)	\??\n:	Cerber5.exe
File opened (read-only)	\??\p:	Cerber5.exe
File opened (read-only)	\??\m:	Cerber5.exe
File opened (read-only)	\??\t:	Cerber5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	raw.githubusercontent.com
22	raw.githubusercontent.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	Cerber5.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpDD60.bmp"	Cerber5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpE0F5.bmp"	Cerber5.exe

Drops file in Program Files directory 42 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\outlook	Cerber5.exe
File opened for modification	\??\c:\program files\	Cerber5.exe
File opened for modification	\??\c:\program files\	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\excel	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\onenote	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\onenote	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\word	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\office	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	Cerber5.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241227230614.pma	setup.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\word	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\the bat!	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	Cerber5.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\939bc697-c589-4e6a-ba25-238530e8c08e.tmp	setup.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\steam	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\steam	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\office	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\outlook	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\the bat!	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\excel	Cerber5.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	Cerber5.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cerber5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cerber5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cerber5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cerber5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cerber5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cerber5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cerber5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cerber5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cerber5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cerber5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cerber5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5344	PING.EXE
5176	cmd.exe
2360	PING.EXE
5172	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4608	taskkill.exe
3604	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000_Classes\Local Settings	Cerber5.exe
Key created	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000_Classes\Local Settings	Cerber5.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
6044	NOTEPAD.EXE
1144	NOTEPAD.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5344	PING.EXE
2360	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2020	msedge.exe
2020	msedge.exe
2716	msedge.exe
2716	msedge.exe
4140	identity_helper.exe
4140	identity_helper.exe
5080	msedge.exe
5080	msedge.exe
5244	msedge.exe
5244	msedge.exe
5244	msedge.exe
5244	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3840	Cerber5.exe
Token: SeCreatePagefilePrivilege	3840	Cerber5.exe
Token: SeDebugPrivilege	3604	taskkill.exe
Token: SeShutdownPrivilege	5624	Cerber5.exe
Token: SeCreatePagefilePrivilege	5624	Cerber5.exe
Token: SeDebugPrivilege	4608	taskkill.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 1080	2716	msedge.exe	83
PID 2716 wrote to memory of 1080	2716	msedge.exe	83
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 544	2716	msedge.exe	84
PID 2716 wrote to memory of 2020	2716	msedge.exe	85
PID 2716 wrote to memory of 2020	2716	msedge.exe	85
PID 2716 wrote to memory of 4380	2716	msedge.exe	86
PID 2716 wrote to memory of 4380	2716	msedge.exe	86
PID 2716 wrote to memory of 4380	2716	msedge.exe	86
PID 2716 wrote to memory of 4380	2716	msedge.exe	86
PID 2716 wrote to memory of 4380	2716	msedge.exe	86
PID 2716 wrote to memory of 4380	2716	msedge.exe	86
PID 2716 wrote to memory of 4380	2716	msedge.exe	86
PID 2716 wrote to memory of 4380	2716	msedge.exe	86
PID 2716 wrote to memory of 4380	2716	msedge.exe	86
PID 2716 wrote to memory of 4380	2716	msedge.exe	86
PID 2716 wrote to memory of 4380	2716	msedge.exe	86
PID 2716 wrote to memory of 4380	2716	msedge.exe	86
PID 2716 wrote to memory of 4380	2716	msedge.exe	86
PID 2716 wrote to memory of 4380	2716	msedge.exe	86
PID 2716 wrote to memory of 4380	2716	msedge.exe	86
PID 2716 wrote to memory of 4380	2716	msedge.exe	86
PID 2716 wrote to memory of 4380	2716	msedge.exe	86
PID 2716 wrote to memory of 4380	2716	msedge.exe	86
PID 2716 wrote to memory of 4380	2716	msedge.exe	86
PID 2716 wrote to memory of 4380	2716	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/orangegrouptech/Biohazards-from-orangegrouptech/raw/refs/heads/master/Ransomware/Cerber%205/Cerber5.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc4f9246f8,0x7ffc4f924708,0x7ffc4f924718
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,831002221962420978,2080962682732999153,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,831002221962420978,2080962682732999153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,831002221962420978,2080962682732999153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,831002221962420978,2080962682732999153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,831002221962420978,2080962682732999153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,831002221962420978,2080962682732999153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,831002221962420978,2080962682732999153,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,831002221962420978,2080962682732999153,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6292 /prefetch:8
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,831002221962420978,2080962682732999153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6536 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:3124
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6644d5460,0x7ff6644d5470,0x7ff6644d5480
    3⤵
    PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,831002221962420978,2080962682732999153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6536 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,831002221962420978,2080962682732999153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6632 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5080
- C:\Users\Admin\Downloads\Cerber5.exe
  "C:\Users\Admin\Downloads\Cerber5.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:3840
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3028
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\system32\netsh.exe advfirewall reset
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5156
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___U4NLDWZM_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4124
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___9KUDKBAJ_.txt
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:6044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "C" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "C"
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3604
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5344
- C:\Users\Admin\Downloads\Cerber5.exe
  "C:\Users\Admin\Downloads\Cerber5.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:116
- C:\Users\Admin\Downloads\Cerber5.exe
  "C:\Users\Admin\Downloads\Cerber5.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5132
- C:\Users\Admin\Downloads\Cerber5.exe
  "C:\Users\Admin\Downloads\Cerber5.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5196
- C:\Users\Admin\Downloads\Cerber5.exe
  "C:\Users\Admin\Downloads\Cerber5.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5316
- C:\Users\Admin\Downloads\Cerber5.exe
  "C:\Users\Admin\Downloads\Cerber5.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,831002221962420978,2080962682732999153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,831002221962420978,2080962682732999153,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,831002221962420978,2080962682732999153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,831002221962420978,2080962682732999153,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
  2⤵
  PID:5764
- C:\Users\Admin\Downloads\Cerber5.exe
  "C:\Users\Admin\Downloads\Cerber5.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:5624
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4284
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\system32\netsh.exe advfirewall reset
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5400
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___H3EH2D_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4544
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___GJM9SJ_.txt
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "C" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5176
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "C"
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4608
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2360
- C:\Users\Admin\Downloads\Cerber5.exe
  "C:\Users\Admin\Downloads\Cerber5.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,831002221962420978,2080962682732999153,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5808 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5428

C:\Users\Admin\Downloads\Cerber5.exe
"C:\Users\Admin\Downloads\Cerber5.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:5544

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\fd7eae724ad547a497d9b23c83cacd72 /t 116 /p 4124
1⤵
PID:5352

C:\Users\Admin\Downloads\Cerber5.exe
"C:\Users\Admin\Downloads\Cerber5.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:6104

C:\Users\Admin\Downloads\Cerber5.exe
"C:\Users\Admin\Downloads\Cerber5.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:6136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3b681f1b553061b1d406dca73509e1

SHA1
1d0902a780b041766c456dca466ed6dd88db979a

SHA256
45099d50c298e321f628997d58aff82c1f91aa302cb6a46f5c8a2819a53685d2

SHA512
b6e59b2da8bce61cdb2f0bdbe6dd0486c68bb583a1066cafb979314c4c1baeab4136d9d958e9e9ef3a36b1d7988ae8518080b8aff9748c102d05646aea914283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
165b9ab5b6100e149d42942970795741

SHA1
873ef2b7bb080cee1f9eb80920edb54a235fc326

SHA256
fd01e423cf1b8c61bbc4e1c63f3cd70a81586a9d03a88eebd6ec3a16a1910364

SHA512
5ba31ba647b158325e7282ff6dc83e683b62895a1e3ebd5445a1f121d6d5fdee4b39164514f7c442bf67dbefcc7965c3ee946333e77047ced40df144aebef9ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
21c5bc855efe0afad2f2f5b947362fa3

SHA1
79d64889654e70015c672f2fd85e68faa4e50fa4

SHA256
d9489423d087ab7fa38ab467d7b054c3f6ddd5f312d0773d3f78ffd3c24b811a

SHA512
32ff9c1abb39759e1a5f1f5ae24308607f85164ed8c287aa52fbf77619fd8fdc414a557148c61d926749711364d02f3db0c4706bf9f94e8bce64296c31d84dd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3b3ebd9bc1f6eb49e7eb53fff4df2afe

SHA1
1df035b95d7510714bf0ce3d878ce66501284470

SHA256
ba61f55ddc5a6e22be2db42489675ac02ff145c5c790c29ce1d4206f57e5d540

SHA512
9cd0ad82b5bee890c5a3a42d3ad4b1cfe13e022d648db70dcc43b5339b8853344611426c25ad374871cd1e2cc0d9c49fd48cdc1d7befb46cb977b128f8822f17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
eeec2e8fdb3d10926be7f7f005a6add4

SHA1
ef91d915a57451a526ffde4634f1152c6a751104

SHA256
3a35c99ef359936c246b01412cf6c3bd0a7b190fbfefa584d62cc27e6f6522b1

SHA512
c2044601211d75abf5bea962e73760289ec660326f7e8fce5a588a6a7672923682fa45a0876f197ec75c943d780bd06649d1810edb8331a293365dcc415cb4c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
524c0eba78201e8faad29c29d0a611ff

SHA1
b8d23f3f70313f9f0f8c1e293e70a3f8173adea9

SHA256
693ac11a04057152b30e8d26dc646186c3e54bbe397122b457374d92620fde52

SHA512
5481d83540551f9999d6dbbe94c7ac200b53bb81e5d9a5a94761274332a0b4e4aad05a9689fed5b9ad6fb2c1d06f91e2730eaa4f53950f8e14cef5cf2af452ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f4b37887-7da3-426f-8f7e-f042276c9f2f.tmp

Filesize
5KB

MD5
34005e21bfe16269ff92dd359af277b8

SHA1
126d035f15b40ddc65ca4daeaa36c4ba997e7594

SHA256
6031fda5d4dd68e2579fc94cff3723352aab2649c64a0e9c8082309b057ab0da

SHA512
8b4b8d6b1615bdec959ad4a435ece65ef99b70bff67b38db58785165b3d9139788712b072e9f318bca0d8fd725a973181c0630cba2e3e256152f902d26944d9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
0cebe755b057bae1d85e211c443824c7

SHA1
c7557f253c72e5eb6a73e39aba213d91c83aec95

SHA256
e99f9c3af7202bca4dada62f003dc25568d23af819527e60f3879ab48714e443

SHA512
32023449732143ea0e04ec3e2fd6604ba527547f0798f120a0c856306ba1e5073bdcf918f1c6094757ee7d668e44843422c808495187de9a576c27a4996153a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___TLGHTWZ_.txt

Filesize
1KB

MD5
42b4ad2286a3b4670cb1c78ad42a335c

SHA1
d0e29ee7a40778d9714b3e6a87408e0b2b08d676

SHA256
c0b7d20d25a234ebb1a515060c735c818262b2aff8fcb140093e91173082a303

SHA512
f001327df401df40e2e2fe660c42853d95c136f468628b1ca4b285b08682ea4198fb0f5125f43d2c6bb2bf258a20ff6031f6954bf39d8ffcdbd7ae250e024311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___W7W3F_.hta

Filesize
75KB

MD5
f6293a7acca8cfce832bfea20cbc0a46

SHA1
53a24df04e2f63764877f607bab7027d2c1ce19d

SHA256
457c4445d90b49fd43638a1ada2d17b54154b34d114426e3c6841167e9f01750

SHA512
3ae1ce92de43a9919065bae2016348d4df3b587bc171fb9272b98e65e44f954a35a3a30abcd9661ca550001a8bfc4d38657e8efb4cb0795a388fc48d5d90a90f

Download Submit
C:\Users\Admin\AppData\Local\Temp\86f5a2d4\4b38.tmp

Filesize
344B

MD5
fa5f218a53d87d32a320233594e75503

SHA1
508a1b270495eaee667b610956b97bd2cee49d2a

SHA256
a346c2e51d2f29f719c86aef723a3c82e94cb67667f97e5e7a65f6e19127dee3

SHA512
4e20c55798d7ad30b5915a6ca54d363d95c3d1d4d98c57d9474a58c83e001eafb0d4c887aeba2d9f27126f95772e8dbb5b7f40b4ac0754958cc63bcf7d5bcf94

Download Submit
C:\Users\Admin\AppData\Local\Temp\86f5a2d4\531b.tmp

Filesize
130B

MD5
1244489adc26615ca90a53768605202e

SHA1
3daedcf6282a1afdb8b9aa9d095c15082ef40f1c

SHA256
c7b82e9c0dfdd22270b0fbb33e921a51e8c83e5e701b46b0bbce34cd6aacb330

SHA512
0834992f80a739593042937b354551efa1403f5ae2c9211e1a51aed5226e2bb2b3d7cbeffaa790c98523c89a72d4a4432308d97afc22ec8a43a678e000b88d9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
59d77242fea258d43e2554dc6d4e0145

SHA1
c629091870cf44eb268f6ecb75f418965cb7cd92

SHA256
70e31ba226d43ea950f85f8ab1233b2bc430d319a624b90ab5cbb517c78dd790

SHA512
1a0fe24098beffb59032acaf4997ac127e5f6500c498bcccab7df27601154eda6f733aacf9bb399f503d8503338f4d62b2d0713b6e0de9bed9f58ab9775d6c89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
2c2cdc150f755b2ee7c8803c0246b3ff

SHA1
936d602ed2b685a6efe811a81cd39528ea72e4d4

SHA256
a3bdb9f3718a3ebef3f9d6faf5327f7a6b832868172b7c683e285d5ba2d1e392

SHA512
6fecc37c874e6d48ee6221ae5da9c0edb7e9b664acc6dceb158c4e61a951800bbf811e786a74ef18ec10be0c66bd75438f0e82405c77541b1c4b800dd52748e5

Download Submit
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___H3EH2D_.hta

Filesize
75KB

MD5
66b6400012a4c2e9451cb14bedc8a066

SHA1
5375076f4f2521a38fd2012c218dab0d0ae23236

SHA256
93ee5a7f1a39aba495e7203a4a5047fcaf38fd0efa3f681c0780bf5b09be3cdd

SHA512
94aef3df9f47af6e50038f18b76e61556dd388497c2b02a50d49996caeee7b004639e4a17cac6578bfab767445daf3996c17f1d5193d992c4a34eaea0cc566d1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 266747.crdownload

Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
memory/116-236-0x0000000000440000-0x000000000044E000-memory.dmp

Filesize
56KB

Download
memory/3840-714-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-666-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5624-760-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5624-765-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5624-803-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download