cerber | 5fa4cbe0983a59dddd8a58c33a5cebcc0742c24f59c08f1cf78deebca0672697

Analysis

max time kernel
872s
max time network
874s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cerber.exe
Size

604KB
MD5

8b6bc16fd137c09a08b02bbe1bb7d670
SHA1

c69a0f6c6f809c01db92ca658fcf1b643391a2b7
SHA256

e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678
SHA512

b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24
SSDEEP

6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01

Score

10^/10

cerber discovery evasion persistence privilege_escalation ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___OOAJCYZ_.hta

Family

cerber

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>CERBER RANSOMWARE: Instructions</title> <HTA:APPLICATION APPLICATIONNAME="DdvWPlch" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a> <h1>CERBER RANSOMWARE</h1> Instructions </div> <div id="languages"> ☑ Select your language <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> Can't yotZ0Dfriau find the necessary files? Is the cbontent of your files not readable? It is normal beUcause the files' names and the data in your files have been encryps3dXbxwtted by "CeKifcrber Ransomware". It mezhOxOans your files are NOT damagevUZKZ1dg1cd! Your files are modified only. This modification is reversible. FKjSIj75XeVrom now it is not possjSlLDbDible to use your files until they will be decrypted. The only way to decOIWNo5XlmOrypt your files safely is to buy the special decryption software "CCAvBoerber Decryptor". Any attempts to restPnPw0sYore your files with the thireuutXd-party software will be fatal for your files! <hr> You can procHQeed with purchasing of the decryption softwTwH1are at your personal page: Ple7ase wait...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/11AC-530F-27A0-0446-9DD7" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/11AC-530F-27A0-0446-9DD7</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/11AC-530F-27A0-0446-9DD7" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/11AC-530F-27A0-0446-9DD7</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/11AC-530F-27A0-0446-9DD7" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/11AC-530F-27A0-0446-9DD7</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/11AC-530F-27A0-0446-9DD7" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/11AC-530F-27A0-0446-9DD7</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/11AC-530F-27A0-0446-9DD7" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/11AC-530F-27A0-0446-9DD7</a> If t8QlQqT7Qhis page cannot be opened  clilcwL1Tlck here  to get a new addrWlf3ess of your personal page. If the addreHiDkPss of your personal page is the same as befoQEsJre after you tried to get a new one, you cnwFPnUzgkan try to get a new address in one hour. At thPis page you will receive the complete instrh8JAMbBhIxuctions how to buy the decryptijw6fweDJnon software for restoring all your files. Also at this page you will be able to res9tore any one file for free to be sure "Cerbew6p4nApZhr Decryptor" will help you. <hr> If your perk7sonal page is not availa5UzoZRble for a long period there is another way to open your personal page - insta6bGYp9Ellation and use of Tor Browser: <ol> <li>run your Inte20iICXuE9rnet browser (if you do not know what it is run the Internet Explorer);</li> <li>entQ8eJrer or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loadYqE5MI11ing;</li> <li>on the site you will be offered to do4wnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ruVrzEaXn Tor Browser;</li> <li>connect with the buttcUs8mYon "Connect" (if you use the English version);</li> <li>a normal Internet brojXT6wser window will be opened after the initialization;</li> <li>type or copy the addSd1ZBrGhress http://p27dokhpz2n7nvgr.onion/11AC-530F-27A0-0446-9DD7 in this browser address bar;</li> <li>preHsouvXss ENTER;</li> <li>the site shoanMlHuTuld be loaded; if for some reason the site is not lodgading wait for a moment and try again.</li> </ol> If you have any pr9FbLOC5oblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searcIsIqnXXUh bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use. <hr> AdditwKL3mkNional information: You will fiAWnd the instruxxus1wWbxUctions ("*_READ_THIS_FILE_*.hta") for revXFfATlstoring your files in any f89y7Nolder with your encG83rypted files. The instr0E5HyJfuctions "*_READ_THIS_FILE_*.hta" in the fRTG217olderSVcCs with your encryxpted files are not virhoWjuses! The instrucmntions "*_READ_THIS_FILE_*.hta" will hefKcxW6pFolp you to decbVYYMUMfrypt your files. RemembeYXSmr! The worst siQ62H9tuation already happk2k6nened and now the future of your files de74TYw4pends on your determmlDDGbaeination and speed of your actions. </div> <div id="ar" style="direction: rtl;"> لا يمكنك العثور على الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟ هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware". وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها. الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor". إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك! <hr> يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية: أرجو الإنتظار...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/11AC-530F-27A0-0446-9DD7" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/11AC-530F-27A0-0446-9DD7</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/11AC-530F-27A0-0446-9DD7" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/11AC-530F-27A0-0446-9DD7</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/11AC-530F-27A0-0446-9DD7" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/11AC-530F-27A0-0446-9DD7</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/11AC-530F-27A0-0446-9DD7" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/11AC-530F-27A0-0446-9DD7</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/11AC-530F-27A0-0446-9DD7" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/11AC-530F-27A0-0446-9DD7</a> في حالة تعذر فتح هذه الصفحة  انقر هنا  لإنشاء عنوان جديد لصفحتك الشخصية. في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك. في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك. <hr> إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor: <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان http://p27dokhpz2n7nvgr.onion/11AC-530F-27A0-0446-9DD7 في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه. <hr> معلومات إضFOnuNbافية: سzYzKbuUوف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة. الإرشX6es9Qادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك. تذكر أن أسوأ موCMPقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك. </div> <div id="zh"> 您找不到所需的文件？ 您文件的内容无法阅读？ 这是正常的，因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。 这意味着您的文件并没有损坏！您的文件只是被�

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___DEPO1X_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/11AC-530F-27A0-0446-9DD7 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/11AC-530F-27A0-0446-9DD7 2. http://p27dokhpz2n7nvgr.14ewqv.top/11AC-530F-27A0-0446-9DD7 3. http://p27dokhpz2n7nvgr.14vvrc.top/11AC-530F-27A0-0446-9DD7 4. http://p27dokhpz2n7nvgr.129p1t.top/11AC-530F-27A0-0446-9DD7 5. http://p27dokhpz2n7nvgr.1apgrn.top/11AC-530F-27A0-0446-9DD7 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://p27dokhpz2n7nvgr.onion/11AC-530F-27A0-0446-9DD7

http://p27dokhpz2n7nvgr.12hygy.top/11AC-530F-27A0-0446-9DD7

http://p27dokhpz2n7nvgr.14ewqv.top/11AC-530F-27A0-0446-9DD7

http://p27dokhpz2n7nvgr.14vvrc.top/11AC-530F-27A0-0446-9DD7

http://p27dokhpz2n7nvgr.129p1t.top/11AC-530F-27A0-0446-9DD7

http://p27dokhpz2n7nvgr.1apgrn.top/11AC-530F-27A0-0446-9DD7

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber
Contacts a large (1112) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2740	netsh.exe
3672	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	cerber.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	cerber.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	SystemSettingsAdminFlows.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	cerber.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp22E.bmp"	cerber.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\steam	cerber.exe
File opened for modification	\??\c:\program files (x86)\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\the bat!	cerber.exe
File opened for modification	\??\c:\program files\	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	cerber.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	cerber.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cerber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3764	PING.EXE

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1932	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133802441598537886"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	cerber.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
468	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3764	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2040	chrome.exe
2040	chrome.exe
1128	msedge.exe
1128	msedge.exe
4308	msedge.exe
4308	msedge.exe
6140	msedge.exe
6140	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5032	cerber.exe
Token: SeCreatePagefilePrivilege	5032	cerber.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeBackupPrivilege	5936	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	5936	SystemSettingsAdminFlows.exe
Token: SeSystemEnvironmentPrivilege	5936	SystemSettingsAdminFlows.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5936	SystemSettingsAdminFlows.exe
2036	SystemSettingsAdminFlows.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 2740	5032	cerber.exe	82
PID 5032 wrote to memory of 2740	5032	cerber.exe	82
PID 5032 wrote to memory of 2740	5032	cerber.exe	82
PID 5032 wrote to memory of 3672	5032	cerber.exe	84
PID 5032 wrote to memory of 3672	5032	cerber.exe	84
PID 5032 wrote to memory of 3672	5032	cerber.exe	84
PID 5032 wrote to memory of 4964	5032	cerber.exe	94
PID 5032 wrote to memory of 4964	5032	cerber.exe	94
PID 5032 wrote to memory of 4964	5032	cerber.exe	94
PID 5032 wrote to memory of 468	5032	cerber.exe	95
PID 5032 wrote to memory of 468	5032	cerber.exe	95
PID 5032 wrote to memory of 468	5032	cerber.exe	95
PID 5032 wrote to memory of 1676	5032	cerber.exe	98
PID 5032 wrote to memory of 1676	5032	cerber.exe	98
PID 5032 wrote to memory of 1676	5032	cerber.exe	98
PID 1676 wrote to memory of 1932	1676	cmd.exe	100
PID 1676 wrote to memory of 1932	1676	cmd.exe	100
PID 1676 wrote to memory of 1932	1676	cmd.exe	100
PID 1676 wrote to memory of 3764	1676	cmd.exe	101
PID 1676 wrote to memory of 3764	1676	cmd.exe	101
PID 1676 wrote to memory of 3764	1676	cmd.exe	101
PID 2040 wrote to memory of 4144	2040	chrome.exe	107
PID 2040 wrote to memory of 4144	2040	chrome.exe	107
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 856	2040	chrome.exe	108
PID 2040 wrote to memory of 2672	2040	chrome.exe	109
PID 2040 wrote to memory of 2672	2040	chrome.exe	109
PID 2040 wrote to memory of 740	2040	chrome.exe	110
PID 2040 wrote to memory of 740	2040	chrome.exe	110
PID 2040 wrote to memory of 740	2040	chrome.exe	110
PID 2040 wrote to memory of 740	2040	chrome.exe	110
PID 2040 wrote to memory of 740	2040	chrome.exe	110
PID 2040 wrote to memory of 740	2040	chrome.exe	110
PID 2040 wrote to memory of 740	2040	chrome.exe	110
PID 2040 wrote to memory of 740	2040	chrome.exe	110
PID 2040 wrote to memory of 740	2040	chrome.exe	110

C:\Users\Admin\AppData\Local\Temp\cerber.exe
"C:\Users\Admin\AppData\Local\Temp\cerber.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2740
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3672
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___08HH8T5Q_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4964
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___NFAHZUE_.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:468
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "cerber.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fffbbcacc40,0x7fffbbcacc4c,0x7fffbbcacc58
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2060,i,3711165813935679373,6247558735855694515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2092,i,3711165813935679373,6247558735855694515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,3711165813935679373,6247558735855694515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,3711165813935679373,6247558735855694515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,3711165813935679373,6247558735855694515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3752,i,3711165813935679373,6247558735855694515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4900,i,3711165813935679373,6247558735855694515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4968,i,3711165813935679373,6247558735855694515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5028,i,3711165813935679373,6247558735855694515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5136,i,3711165813935679373,6247558735855694515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:2292

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultc6ef6624h5ec6h4529hbb44h50dc2df9174c
1⤵
PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fffa7e246f8,0x7fffa7e24708,0x7fffa7e24718
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,13189048616513962699,2972737963670772787,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,13189048616513962699,2972737963670772787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,13189048616513962699,2972737963670772787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:3496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5300

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault0020c4b3h858ah4058h8d68h55e9788ecdc1
1⤵
PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffa7e246f8,0x7fffa7e24708,0x7fffa7e24718
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,12805038533859207578,3425363662664981017,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,12805038533859207578,3425363662664981017,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,12805038533859207578,3425363662664981017,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8
  2⤵
  PID:1884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault86736e01hb07fh4197h85c1hfb0c8b0717b0
1⤵
PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffa7e246f8,0x7fffa7e24708,0x7fffa7e24718
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,13228448919786915469,2348044678487469934,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
  2⤵
  PID:6132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,13228448919786915469,2348044678487469934,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,13228448919786915469,2348044678487469934,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:1852

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3940

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
59b4cece30fcae4fcee4d3e7c740c80c

SHA1
3b299a3428f0ce6496b14964e7db7847d048e1b0

SHA256
339107f44132dd5ac3810a3b8314e05921873e499716fb4d39573d637f3ed8f0

SHA512
afde9debffaf275fafcf91f60e8530ab79be81f5f873943a40bf08d7a984c8814dab8248de024275ace349ec0438cd4f90aefe86a8dce7698aa27f10f7443655

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
27b8200a8a926ea4b4498aa460df6ced

SHA1
a7748ce462a7edd6512c314e510d87051de366ba

SHA256
ca2aaf0295c81597546de89a31eb24758c4e169d2733fa6c66e1b1ffc6363525

SHA512
54ac0fdb46259429e2249d0615ecd57a0c499392563a2c1853a889aad5868d2642af8e7f0b50dbab5c9791902e74573687c6edca60a2a1f81c9808056c59d39a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7dab3f44698f8fe06d96ad6c7f0a8760

SHA1
f9bc77790d6621b4c448c6547838bf25b37c3a35

SHA256
43aec0a4410d6c5eddc3ecd303ff7c88b648055cf8d4f77e78fe634b5b7b7596

SHA512
e68d927fc215924133bc3278db08603df165693dae3958c1d1178e94ce925f916366a008f24fee5e45734ae43ac12de841e81618ce37f4215935529b8bec5806

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ba2d2ec0f572b2f2a81485f8f8f74a06

SHA1
c4b862e9a6a2ea5a09d0a91f8e8396f7efd9392c

SHA256
8f6bface8853c05b27516b8f6788b1cdae4840983a8d1acb523ef39c8011ae01

SHA512
33af11a4def279f09930d3b313de9e9848cd59e4a8f5046dff25630ae858e900fc8a4728e261f1bb82ba12e1bfa0071be9c3a7f120e9d38000a67b35997ffa05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2352c8a2dfa0c7aeffa9158b3658a649

SHA1
fb8975962547c91c13e57aa5697e940a64bc1834

SHA256
34c60e82789dbc24abaeb3d524faf9770c414f05cec6405dab2dd64569faa936

SHA512
987a28a0e4b1b91f00077b7032e629b5d1e04886e45e24c903a1050472556d83f3431aef37bbdaca3da975a120ee3c8638004a69e037357b3808a9073eac72be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8d1e553ed01d41a6445c115253a2dd79

SHA1
040a037e412b358203676a341842e60b6e296702

SHA256
9509274952ef80c1ddf2f0458475c6ca104231818f18b51f8aaa814b8741f2c1

SHA512
3e240bd9f971706dda1cf4b1bc96591c2fa526be9dc0dfbdf43e1f1621dceead162e8f974c8e8390980c98a55051732222e542515ecf40dd4c0ba248d52d54cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a2b8b281b2bd7f99cdce0c022dd7c0dd

SHA1
7e095828709a362e484d345542b0ebee400bbf6b

SHA256
e262eb0476ce6ea260369052e3b4b5fa64d237503e0ff6a81c0971cf1638c8a1

SHA512
f45ef0b7e58d5f7fd8476ed63ae78e9c4c1d5c40c9856aaa5b58a19bdbc33c3300e7001b0d74268760d2892d069e587fefc98861d1da4b9826b7553cdeefe099

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
60911619be9f7d4620afbc4af7062081

SHA1
ed83cf4fb2a411e11a89b7184dab33d37b55945d

SHA256
be7e3c59314e1022ceb419986e3b0fbc397937df4e87a9ac8693ae22c3d73647

SHA512
a3c11bca123a53c3c9d5533aad59a0a87c22377bdb098a19d7f2f84e34f97d0d3c245f82e7c944c4445c6f81e1110120c79b4003550321baefcc0515af249bd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
42590cd24883eef1652990674f82514f

SHA1
93f829349646a19ea3481c338447792354f3a2af

SHA256
247cc871cc1bcc98f060cc6a1f8d91d28cceeaedd0d49e7512c5ee4296ecfc90

SHA512
61b4ebcfb372802b2cc3c8859a76d2c7f35566b221edc1ca67deda5dc9b69ad93053f749bf4899bdc1ace712e31de0051336c0fd9216cf439ba0a758e18b14e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a6b7eba065b8d7e38874204587c9f5a3

SHA1
70c50511541a1772ddb252384853dc6ab13db7df

SHA256
6ef9ac5ec5d87953f3c414e169c5d5f454a312951480f96c5add4a4e6d14c578

SHA512
6e7200783e55df10150efdcadcffb8b3b6affbcea58c9790a0c12156ec1715cef20e1ae50b19eb0b4479d8ea982d64a238296ae1d4b402f6d4a1cb4f8f669782

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
9d33a317b7b64d87bd3cd686312a32fb

SHA1
6c1ba9cf1dafffb4c979366a24b372e0e9e94531

SHA256
90ee351621e885a04af600ed6b864d369280f05d40bb12fd19ae2e9f6cea6959

SHA512
43b03db991eaae4ce408f3dd457290cd67ec444f05632bce9f4c1c6d9863edaa89e5113be8b70787f32d04b01413e45e9c577f40477cd90e655b80f3e2858b54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
36ed37bd6aeaf7082c2b0beb695e4176

SHA1
f543404dc36ef4532e3f398c6b1b8705fb5bf542

SHA256
5cbd34ec87ec11dbfe831ad828aff57a5114d4c65fe86fba245597c46e50ea70

SHA512
80cd8706c97cff5e1ac321b309397a146d8dd6ef291cfed7a8547536c20c61be40601c5ad6fe2f1f5694d5357e99d28c4865be707c6b4d65ceaa16b0baa3e61a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
e1781701ff13816440cf86fcf60bfebb

SHA1
0d2ae3cdb91cd09e52e73524d328598f0347874f

SHA256
01b5c3381aaa86d1c91660e80a42a58161d49bdae8f3019ee6c3e35c3443f5d0

SHA512
4aa9f3d4712416eaf84a9ab8c1046f9ef05c5419071304e4e16d6c49e68041ab8d1ff783583d83ab87d3d291b3c9d6a9c73b49a0cd8b5710ce7a8895aa043bf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5d7cbd0b8a90d4b690aa892ad01dd3ee

SHA1
de2cef3a878fa892ddbaa2df84f8aec2cdff8fdf

SHA256
87fc7ca0067b8538ef7430673298e6acd874c6b24d4a5c62f6bc6ebb96e1789f

SHA512
18c53879e39f32f371313b6b99ea2e720c072974105940bae56e5a3c62557ce9a23fccfdf930dd3169f6b292b68b1c98488def111313407d289ddae9598d5ac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\64a777a9-46ba-4fa4-84b2-a03950285d30.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
81bc00239bc1d1c191a328027314cfce

SHA1
daf3258bc9492a4cc38e057e854098e473c49e11

SHA256
58c08f3ea9243ad93db5941da128f2790f0058a668f6f2d99c31630b4af9a7ae

SHA512
88f98a5075e9998e301cf2574ad092b4d6816fbe085d7f0af759d004e4b786a0e3f1f2fb5eda7ec4d39976a966c217387915d03929b5310e88b5a096875cfd88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
3fb09eddf37dc06c0353e63efe0f2347

SHA1
3fbcb76e71b375c856cb3f45d7bd1bef782a9636

SHA256
e5500d2b02f8eb5e83e6fb9bdf13f1d469b4763f3cd885efacb5e0934b82dda7

SHA512
69b475fc13c3b3aa67e388ab825f7b9d98d80d0176fdb4b79e904afa96f61b6d29375980513836aef351b589f981135c0d10839e5624ce751a8123cde85d1c7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8f17863194532c3e5be23f40b813fd82

SHA1
853e121f6475c2a82f88247968fb821bb8008f54

SHA256
f2324ed469c92311f57bf8704cb7145e2671e22ad1e28c837310e6e8b2b26c9e

SHA512
416de0587d651f071f82c96605344207f13df6bd34046a0d305b36ceb3ad42efe86f3f75f1e02560b701cf18f48736c5ba9b105d4ff136dc1687e134009d7fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ca41daba496d3190d23c55b27c9d1fae

SHA1
63f5f974193265f929dbe79ee3cbe7b0c45b92e4

SHA256
84040b6f6618c8d325fcf7a1d77262a4c5adf9ff9f2d61a53203a8d6e354e1ef

SHA512
9c0673ff223853bc58ce418712956a4cfc60c38c06d2cda47eead9a265585680f9aa4e187b41aa978c4a8f431ff3c27c43761f0d49433fbe091cfb4e56dfad2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
d5dca06749b789641c614157685f8020

SHA1
7262a95e18b4fe193c447ef4af7fb0503b09ef27

SHA256
fce6f7128bad2bbe982d885ebb2f180e9c5bf02883b8b7aad1ac2d7883519f56

SHA512
e8823c96c0ddf6dff033fa754814a02ea905674e4795ef7d9293aa40773adf63afa94bc5612a595b764207d66cb4867ee2d9422fd6d90114b45ac12092ef3b1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
f1b9231e5ba21181027ffc1fcbadffd5

SHA1
cac6078e0653bb04d4f9eebbb9b29a0dae01c399

SHA256
b0bb2a8fa5ee4c4b11eab747188cccf405d863e2dc82e9d365ab3b9781cf85ca

SHA512
87a9469ad31e92cd13243d889c40af6dca0bce0c635321e32c9586b2ed1a910839390b5ceb2429161c8af76a9b33b1cc1f27aa6bded03a2dac5b3b7e4191105b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
e97f4cfc6cf55c2d2ce874d8b30594b2

SHA1
8d324438cadc3393891d508ecd20da04edd6c236

SHA256
8272149ba570cdd95201d89f2af758385925e72070cf1df3ef7a38e32492c881

SHA512
250b91c791b7ad2117773d43a5cc8975a89f7595bc2fb2d234a816389c50653b63532becc4f25a42a563de948427a7a119cdd0b63e4427e5180ca80def657ac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
ee757ce7d18a4d96d0d5a04754bee2b4

SHA1
3d1adace600aed1e795ecff31843b6a7f02df492

SHA256
0dc3fe1b42e5a86fc1687f3a39ba6857c95dcc7bf0263fc434b8b70749f54a3a

SHA512
d5964d591e37fbc628b4fb4b910a0887a5987e2bbd6245cb5f30c82c4a68b54c07d8da5b1b5268a7824539cba518cdeaa775f034c8afb83551b8ba4345581b49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
7e2408cab3abbf953e107588e208bde4

SHA1
7739c42db466c8a340fa14e37bb0d5c041c0dce6

SHA256
ea8815f86a7ee9bf2180ba6c9dfaed971ec7607ecdad715ee64cacbdab52fe7c

SHA512
87c9f3863a40891ac8e60a4730e39c7c093d6b7fe41b24bd36fb0446a566df802f8e6eb44f009165c6b5ee5c2e239eb721afb823ba06cd5f0a37c3c4d6b34068

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
eb58699d8ee66e749424b7ed917bbdab

SHA1
6a518b77705db3d6b1d33a4c9aa9aa97dd468295

SHA256
1cfd929826d7ae48b4c180fbe9faf7ee7618983c3082d4f566450fccc4ec6e7c

SHA512
c11c01959fafe84b24b5e895f8f5e124cc45aaa59a95bfb3828027ceb9c34d40266b28ab5ca9362e3289a69f250d6a75a914b78662a082700bde49641d972336

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___DEPO1X_.txt

Filesize
1KB

MD5
a1f04b310a1fa838ed4d4d0f8ac390dd

SHA1
4875a2d700b3d2ae1a341411d7b45d9a24ccb9fd

SHA256
c1e39f8a2f546766105ce9aa2f79b495a5cc9858fbe2cf8112edb77689cb3a28

SHA512
98af61838732587bbd9784805f2573d730350e27113e1d311cc82493ecbcb40276ac9253ef715fe1d9fca4032c3c0f5d5eacc335f80dd57844b204e8a8fa4f5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___OOAJCYZ_.hta

Filesize
75KB

MD5
d19e8a5212b84e7ba0fd2aaff413156c

SHA1
3892b15f9a01e28adfdd54f1d75ae69eec35af4a

SHA256
92e0f20fda59c8ec6d827ec3db095a59add06cbc628898676780473d427d78d9

SHA512
39b5dc3908f1fc1383d4d00580c4fffe82a902bac9f77f2836dfbbf190275cbcb5dd490725411ab7125f16d91e1c3ee63159aeb59de88f46c62242d07efb8c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2040_1544413351\af2d2ae7-79e7-4144-9f29-60abc3675807.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
\??\Volume{62c5c1e3-0000-0000-0000-d01200000000}\$SysReset\Logs\SessionID.xml

Filesize
106B

MD5
ee1ef7ffd242b6fd422a586299f25620

SHA1
8992c0e7c9138743af24e8ff3f341d3a52a4c82e

SHA256
489804303ae11b55698da30b74dc7304e20598c0caab64e172f4ee0e2d3902fd

SHA512
9dd56e0d7570a77792609fb3569c428600486bdec7d502c82749b678d5c7e1e92c74c5da80ffcaaf037af2f73d0bc41cf619b5572b56de4005438ce481e60412

Download Submit
\??\Volume{62c5c1e3-0000-0000-0000-d01200000000}\$SysReset\Logs\Timestamp.xml

Filesize
41B

MD5
16a009ef35dcf9a2c6b4bdb8e9256000

SHA1
3dae51d6b799a76e9dd10a899de1e59db3aa1a56

SHA256
76e12cdcd8382b3e7e080483dc6488eea5e2808760e5a2a1ce0ad052fd4c16dd

SHA512
5fe2203615a596d4a205c74f03c7660cc6bd3654a2d3b055845859d12eb935767ecb7d6505ea4397d3a0475ebad57c64d16e037c1316721fb5a6ce9b276504bd

Download Submit
\??\Volume{62c5c1e3-0000-0000-0000-d01200000000}\$SysReset\Logs\setupact.log

Filesize
767B

MD5
b250386e078299e4ae59d52e394ccb8d

SHA1
98bc152ff27b524c1d90e18f3c9d893f63fc36be

SHA256
c06c015a799b0bfb1b0f8e29e3c4d1f16627d93d6d135cec2d5a4762ad5fbb7d

SHA512
d810e7980a087d64b0b619053cde789eed9dfb173bb1a38079d6e94bddf58043d5a2d343af1d8893064d167752933766ea3d147bd2b6b614badc39a656881483

Download Submit
memory/5032-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5032-405-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5032-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5032-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5032-0-0x0000000000770000-0x00000000007A1000-memory.dmp

Filesize
196KB

Download
memory/5032-4-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5032-2-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5032-427-0x0000000000440000-0x0000000000451000-memory.dmp

Filesize
68KB

Download
memory/5032-1-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download