Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/E...

windows10-2004-x64

10

Resubmissions

12-02-2025 14:40

250212-r2c9pawjcp 10

12-02-2025 14:40

250212-r1yt1awjbl 3

12-02-2025 14:35

250212-rx15yswjfs 8

Analysis

  • max time kernel
    54s
  • max time network
    56s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-02-2025 14:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/Endermanch/MalwareDatabase

Score
10/10
cerberdefense_evasiondiscoverypersistenceprivilege_escalationransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___C0TDV_.txt

Family

cerber

Ransom Note
Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/55A2-C1EE-3053-0098-BAA9 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/55A2-C1EE-3053-0098-BAA9 2. http://xpcx6erilkjced3j.19kdeh.top/55A2-C1EE-3053-0098-BAA9 3. http://xpcx6erilkjced3j.1mpsnr.top/55A2-C1EE-3053-0098-BAA9 4. http://xpcx6erilkjced3j.18ey8e.top/55A2-C1EE-3053-0098-BAA9 5. http://xpcx6erilkjced3j.17gcun.top/55A2-C1EE-3053-0098-BAA9 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://xpcx6erilkjced3j.onion/55A2-C1EE-3053-0098-BAA9

http://xpcx6erilkjced3j.1n5mod.top/55A2-C1EE-3053-0098-BAA9

http://xpcx6erilkjced3j.19kdeh.top/55A2-C1EE-3053-0098-BAA9

http://xpcx6erilkjced3j.1mpsnr.top/55A2-C1EE-3053-0098-BAA9

http://xpcx6erilkjced3j.18ey8e.top/55A2-C1EE-3053-0098-BAA9

http://xpcx6erilkjced3j.17gcun.top/55A2-C1EE-3053-0098-BAA9

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Cerber family
    cerber
  • Contacts a large (1108) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    defense_evasion
  • Drops startup file 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4540
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc1ad8cc40,0x7ffc1ad8cc4c,0x7ffc1ad8cc58
      2⤵
        PID:2492
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,2690103965739480240,2176607269693399678,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=1808 /prefetch:2
        2⤵
          PID:1600
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,2690103965739480240,2176607269693399678,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=2164 /prefetch:3
          2⤵
            PID:5040
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,2690103965739480240,2176607269693399678,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=2312 /prefetch:8
            2⤵
              PID:2456
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,2690103965739480240,2176607269693399678,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=3144 /prefetch:1
              2⤵
                PID:908
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,2690103965739480240,2176607269693399678,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=3176 /prefetch:1
                2⤵
                  PID:3008
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4416,i,2690103965739480240,2176607269693399678,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4608 /prefetch:8
                  2⤵
                    PID:1376
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4888,i,2690103965739480240,2176607269693399678,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=5116 /prefetch:8
                    2⤵
                      PID:2688
                  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                    1⤵
                      PID:4268
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                      1⤵
                        PID:2368
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:1048
                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Cerber 5.zip\[email protected]
                          "C:\Users\Admin\AppData\Local\Temp\Temp1_Cerber 5.zip\[email protected]"
                          1⤵
                          • Drops startup file
                          • Enumerates connected drives
                          • Drops file in System32 directory
                          • Sets desktop wallpaper using registry
                          • Drops file in Program Files directory
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          PID:4960
                          • C:\Windows\SysWOW64\netsh.exe
                            C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
                            2⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • System Location Discovery: System Language Discovery
                            PID:4548
                          • C:\Windows\SysWOW64\netsh.exe
                            C:\Windows\system32\netsh.exe advfirewall reset
                            2⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • System Location Discovery: System Language Discovery
                            PID:4752
                          • C:\Windows\SysWOW64\mshta.exe
                            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___1G8C_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:4760
                          • C:\Windows\SysWOW64\NOTEPAD.EXE
                            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___M10U_.txt
                            2⤵
                            • System Location Discovery: System Language Discovery
                            • Opens file in notepad (likely ransom note)
                            PID:4964
                        • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                          "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTM3RjUyREUtMkQ3Qi00QjRELTgwQ0YtRDNERjg0NTY5Q0FDfSIgdXNlcmlkPSJ7RkIxNjY3MkMtRjg3MS00NTg4LTgzQzgtOEYzODJEMzk0RjdCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NUJGNzA1QUItODhBQS00REVELUI0MjgtMERGQzNEQzhCMjkxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjY4MzQ0MDg3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
                          1⤵
                          • System Location Discovery: System Language Discovery
                          • System Network Configuration Discovery: Internet Connection Discovery
                          PID:1756

                        Network

                        MITRE ATT&CK Enterprise v15

                        Reconnaissance

                        Resource Development

                        Initial Access

                        Execution

                        Persistence

                        Create or Modify System Process

                        1
                        T1543

                        Windows Service

                        1
                        T1543.003

                        Event Triggered Execution

                        1
                        T1546

                        Netsh Helper DLL

                        1
                        T1546.007

                        Privilege Escalation

                        Create or Modify System Process

                        1
                        T1543

                        Windows Service

                        1
                        T1543.003

                        Event Triggered Execution

                        1
                        T1546

                        Netsh Helper DLL

                        1
                        T1546.007

                        Defense Evasion

                        Impair Defenses

                        1
                        T1562

                        Disable or Modify System Firewall

                        1
                        T1562.004

                        Modify Registry

                        1
                        T1112

                        Credential Access

                        Discovery

                        Browser Information Discovery

                        1
                        T1217

                        Network Service Discovery

                        1
                        T1046

                        Peripheral Device Discovery

                        1
                        T1120

                        Query Registry

                        2
                        T1012

                        System Information Discovery

                        2
                        T1082

                        System Location Discovery

                        1
                        T1614

                        System Language Discovery

                        1
                        T1614.001

                        System Network Configuration Discovery

                        1
                        T1016

                        Internet Connection Discovery

                        1
                        T1016.001

                        Lateral Movement

                        Collection

                        Command and Control

                        Web Service

                        1
                        T1102

                        Exfiltration

                        Impact

                        Defacement

                        1
                        T1491

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\6952d1b4-0185-4ef1-ba6e-2b3d6084e9a3.tmp
                          Filesize

                          123KB

                          MD5

                          f36376a91a55a4253d0c18f6717a2b2c

                          SHA1

                          68b08d299f4ce99fa40708c6f07c99e1823cbe6d

                          SHA256

                          9d8b2dfc6829c60509f76a182619d119a4e9c92b2021832adebc67f059fd0c43

                          SHA512

                          0d5b53445eedc9cdb4bc937098ac09204d691f91a579c2bb77dbc67d944dbcb671ee39f07d25c8206b3de67cb1569a26bd3a6ee8f5c850b8e9881164009984ca

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\690be37d-0068-40a3-bbc4-a0c72b4a5de6.tmp
                          Filesize

                          8KB

                          MD5

                          2fb5d3c001649e9bd8f88252828cd34f

                          SHA1

                          c086abc57ac52414bb36ddb1d1a0639f3fda6ea4

                          SHA256

                          6934717d0fe893f64edd888ac272fcc57971939ae9da972b2b15df69e393096a

                          SHA512

                          e2dad59fc5984bdfe64610ad2bddd3414d51cdfd390833332bd5e7c383fd0f729891165e5d5f6a7faf432fb49d88c982b243103c5541c6726f2a80e97226f5b9

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
                          Filesize

                          2KB

                          MD5

                          bd8e162032e8845da35f0756aa80f381

                          SHA1

                          7140fedfa472670429c156432b23d0d109759085

                          SHA256

                          1ddceaed4ac96493fc4d45cb078835e5fdbc486a903c509c07173aae1c312fc8

                          SHA512

                          624715213b4540a5336f6e782755b92713aabb712abb33195c25337e603e4dfee909f81a58d7f454005c0e985300ba951b60f04959858d5dea5d39a1acaceed7

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                          Filesize

                          2KB

                          MD5

                          d5981f76af2b4146e78a96f50d761b42

                          SHA1

                          2b6eeb9147a88241e29c2669ca72d4bf93ad4a6e

                          SHA256

                          98159afdcb740700dc41d8e90b0e74d581ff3ae22dbb4bdc715d46be09ccd197

                          SHA512

                          f1328918f24ba8e3387c57ac0fe6aa51ecfcf20ccb86bbdc1661ad3c86600952e390dc977182944a7f61c8d7ccf0ade0f35fea6d3a117bce1964d590eeb46153

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                          Filesize

                          2B

                          MD5

                          d751713988987e9331980363e24189ce

                          SHA1

                          97d170e1550eee4afc0af065b78cda302a97674c

                          SHA256

                          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                          SHA512

                          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                          Filesize

                          1KB

                          MD5

                          a2ca931b330affbe8a5ff432e651f5b9

                          SHA1

                          10e8f079cfc828d66c3cebcbd4b2ec3ff1a5f8da

                          SHA256

                          4713d290b2fefd95c028ae0857b028502a19e60368edd0b549b74b04e4ddfed8

                          SHA512

                          28db5bfdc684cfdbdec19e9863db4833bbf29939ff578ed004f6f81e323d7581ced0ed45f29babfd4f6a564fcb4d12c43226d7fd699fa53dd6a9efaa801483c9

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                          Filesize

                          1KB

                          MD5

                          806e41c734bd7972074426f65e9099b6

                          SHA1

                          0aebf151ce0dcd05855d9a8713228b23518e7361

                          SHA256

                          b02ce17a12067f18a988bfa29ca16d76e0df75d3bbc2b1ea4d6af6a8a5d26932

                          SHA512

                          4abe3b17a8479af63c4a26c9df51a80d5f4578957dda8563e091f3b1b5e7b5cae1d8da4d9fcb5a2a66c0a5d4ffc9484c0dfe3c65267660f0994ad45f4f8a5dc4

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                          Filesize

                          1KB

                          MD5

                          dd1c45adac3cb25d84c1d1e51be623f8

                          SHA1

                          5e748bef482df9bdec58208a05af3280bc0dbca6

                          SHA256

                          3e83a7e7b5bbea8466ce3f534146b6548928971b57d3db31076b7345b221dcc6

                          SHA512

                          5eed6399e10e206d2a9aa09420e9d7ac0dd01e9d787a879581fbbb6dc0a87841e6b239ec10f1b7ad14bf939fe6d0b13be4ace5d210e40fa32eaa1a67a22f5bd2

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                          Filesize

                          9KB

                          MD5

                          28d20d14699c9731dd5074371ed9caac

                          SHA1

                          cc809ffb2ca7ba26f700ac3e1adf3c9309f24a63

                          SHA256

                          95ae97fe2e1fd4ac8adc2c5e72c656d92d612bc8e9681dc962f946726dc43c39

                          SHA512

                          bbe7d628ee3d33cb8fb17f08b07a874e0b52c1c0b2ed4eb0db733c5d17a5c43c4f8c317a31ef435643c8ebad0fd78fee740b0f4f309c68aad3caaf875a736f67

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                          Filesize

                          9KB

                          MD5

                          a3c35657dfc3a8ef657e2cb08b5b2d4f

                          SHA1

                          db3795fe0ec9cad04f65751cbeb59b52ed11c0a1

                          SHA256

                          d53be812139596e454adc7ed085afda06ed21336d0ad6cf7798ab25fbfce72a4

                          SHA512

                          50d73f41fcf79bed90300b038bd79e4bbf60e04c430d46fdd9dcc38a9834322dffb8d6bf40377ecec784d982e9caf4b4b2f6c1cc901047e6ef882d4c35a54091

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                          Filesize

                          9KB

                          MD5

                          0edacd1f483e0643f6cbfa3648574aad

                          SHA1

                          4e0d9748b3a188acf5dba9fe8d1cbfcfb065fa0c

                          SHA256

                          aa6521901cbfd6b1360a0beb0895f51f3e5539103457c95d35f86bb60d2a8635

                          SHA512

                          bea5683a860d72455199aea1d4208a9e8d10aba12c2981a3bedfc79174d334ade15b03e267a099237d9b66b096211de6ac818280c2f1fafc297371e3312b6bc4

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                          Filesize

                          123KB

                          MD5

                          ad8c45e64425a4c18bb94ed97d12cb16

                          SHA1

                          3fcd529be43181e6d91ffca0ca90de45aef704f2

                          SHA256

                          7bb65549344ec2588070a06e4c3a8f26357bcdb4da3c84a1de815f2d1699bcd6

                          SHA512

                          a1dba72768db723e95a2ee8286b41e544fe71a43845d43254d2b1155aaf473e6ebf688c5a25d96ef9c18024fb04182d868b3a5ae80c28d325370441fed15f764

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___3AF40_.hta
                          Filesize

                          76KB

                          MD5

                          4999332f6edcb00db452796bae4ff9c3

                          SHA1

                          29eff660dd39503231c7d252eb34684c94255493

                          SHA256

                          e0555444f2bc603e935f9c0eb7f21323dcfe33b1cba2a1223b1926a4a3551e09

                          SHA512

                          9ef4163ab19cbd248425c153159f43dcf152c5d8bc424c6605a469ff793d78399b380cc8603b4b12b0c35cc3d1332f8541da1e9382d58aeabec9d9a0c1bd7294

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___C0TDV_.txt
                          Filesize

                          1KB

                          MD5

                          e63aeaec0c8d8a91adf8500e2d99c0bb

                          SHA1

                          d85db018bd074e9450da5d945820d6f3721b4f31

                          SHA256

                          91f531b4cf4efffcd9bbe1b28b06c692354e080d27be943bb632f1732e234272

                          SHA512

                          b1576eccd15c0aaa6d7d17b8aed70e0af5586bb8c592d8162248a44cdc73ba5c4a5daf2e28eb4577c03f55fcc813593d583f6b75889e4a88e4c0ae2ae0e6c6fd

                          Download Submit

                        • C:\Users\Admin\Downloads\Cerber 5.zip
                          Filesize

                          181KB

                          MD5

                          10d74de972a374bb9b35944901556f5f

                          SHA1

                          593f11e2aa70a1508d5e58ea65bec0ae04b68d64

                          SHA256

                          ab9f6ac4a669e6cbd9cfb7f7a53f8d2393cd9753cc1b1f0953f8655d80a4a1df

                          SHA512

                          1755be2bd1e2c9894865492903f9bf03a460fb4c952f84b748268bf050c3ece4185b612c855804c7600549170742359f694750a46e5148e00b5604aca5020218

                          Download Submit

                        • memory/4960-230-0x0000000000400000-0x0000000000433000-memory.dmp

                          Filesize

                          204KB

                          Download

                        • memory/4960-247-0x0000000000400000-0x0000000000433000-memory.dmp

                          Filesize

                          204KB

                          Download

                        • memory/4960-662-0x0000000000400000-0x0000000000433000-memory.dmp

                          Filesize

                          204KB

                          Download

                        • memory/4960-661-0x0000000000400000-0x0000000000433000-memory.dmp

                          Filesize

                          204KB

                          Download

                        • memory/4960-666-0x0000000000400000-0x0000000000433000-memory.dmp

                          Filesize

                          204KB

                          Download

                        • memory/4960-677-0x0000000000400000-0x0000000000433000-memory.dmp

                          Filesize

                          204KB

                          Download

                        • memory/4960-220-0x0000000000400000-0x0000000000433000-memory.dmp

                          Filesize

                          204KB

                          Download

                        • memory/4960-219-0x00000000014A0000-0x00000000014D1000-memory.dmp

                          Filesize

                          196KB

                          Download