cerber | 2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2025 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe
Size

244KB
MD5

0c8d0933037436b674f2b8478ec5baba
SHA1

e8a7034c43d84b18fb93dc02e8a0b818a645ece1
SHA256

2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1
SHA512

305050c391f443007e3f6e2e4ec60997da69db406b6d85efd19ed9f71683dbc9697280307867237b24034ebe9d99e8f249fc5fc75cb5bfe55721c283261ab144
SSDEEP

6144:Cy9v17kwzsoL9M7df4cqT/4rrUVkg0cDuolN0Ytb4Ra:z97kDo2ffxcP7Dlvs4

Score

10^/10

cerber discovery persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.wewiso.win/85F0-207A-1E4B-0072-88BE | | 2. http://cerberhhyed5frqa.m5gid4.win/85F0-207A-1E4B-0072-88BE | | 3. http://cerberhhyed5frqa.we34re.top/85F0-207A-1E4B-0072-88BE | | 4. http://cerberhhyed5frqa.cneo59.win/85F0-207A-1E4B-0072-88BE | | 5. http://cerberhhyed5frqa.sdfiso.win/85F0-207A-1E4B-0072-88BE |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.wewiso.win/85F0-207A-1E4B-0072-88BE); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.wewiso.win/85F0-207A-1E4B-0072-88BE appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.wewiso.win/85F0-207A-1E4B-0072-88BE); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/85F0-207A-1E4B-0072-88BE | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.wewiso.win/85F0-207A-1E4B-0072-88BE

http://cerberhhyed5frqa.m5gid4.win/85F0-207A-1E4B-0072-88BE

http://cerberhhyed5frqa.we34re.top/85F0-207A-1E4B-0072-88BE

http://cerberhhyed5frqa.cneo59.win/85F0-207A-1E4B-0072-88BE

http://cerberhhyed5frqa.sdfiso.win/85F0-207A-1E4B-0072-88BE

http://cerberhhyed5frqa.onion/85F0-207A-1E4B-0072-88BE

Extracted

Path

C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.wewiso.win/85F0-207A-1E4B-0072-88BE" target="_blank">http://cerberhhyed5frqa.wewiso.win/85F0-207A-1E4B-0072-88BE</a></li> <li><a href="http://cerberhhyed5frqa.m5gid4.win/85F0-207A-1E4B-0072-88BE" target="_blank">http://cerberhhyed5frqa.m5gid4.win/85F0-207A-1E4B-0072-88BE</a></li> <li><a href="http://cerberhhyed5frqa.we34re.top/85F0-207A-1E4B-0072-88BE" target="_blank">http://cerberhhyed5frqa.we34re.top/85F0-207A-1E4B-0072-88BE</a></li> <li><a href="http://cerberhhyed5frqa.cneo59.win/85F0-207A-1E4B-0072-88BE" target="_blank">http://cerberhhyed5frqa.cneo59.win/85F0-207A-1E4B-0072-88BE</a></li> <li><a href="http://cerberhhyed5frqa.sdfiso.win/85F0-207A-1E4B-0072-88BE" target="_blank">http://cerberhhyed5frqa.sdfiso.win/85F0-207A-1E4B-0072-88BE</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.wewiso.win/85F0-207A-1E4B-0072-88BE" target="_blank">http://cerberhhyed5frqa.wewiso.win/85F0-207A-1E4B-0072-88BE</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.wewiso.win/85F0-207A-1E4B-0072-88BE" target="_blank">http://cerberhhyed5frqa.wewiso.win/85F0-207A-1E4B-0072-88BE</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.wewiso.win/85F0-207A-1E4B-0072-88BE" target="_blank">http://cerberhhyed5frqa.wewiso.win/85F0-207A-1E4B-0072-88BE</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/85F0-207A-1E4B-0072-88BE in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber
Contacts a large (2064) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{30AF1670-B459-98B4-F173-89DB22514C70}\\CameraSettingsUIHost.exe\""	CameraSettingsUIHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{30AF1670-B459-98B4-F173-89DB22514C70}\\CameraSettingsUIHost.exe\""	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
39	4796	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation	CameraSettingsUIHost.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\CameraSettingsUIHost.lnk	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\CameraSettingsUIHost.lnk	CameraSettingsUIHost.exe

Executes dropped EXE 4 IoCs

pid	Process
2664	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
2080	CameraSettingsUIHost.exe
2968	CameraSettingsUIHost.exe

Loads dropped DLL 9 IoCs

pid	Process
3504	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe
3504	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe
3504	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe
2664	CameraSettingsUIHost.exe
2664	CameraSettingsUIHost.exe
2664	CameraSettingsUIHost.exe
2080	CameraSettingsUIHost.exe
2080	CameraSettingsUIHost.exe
2080	CameraSettingsUIHost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CameraSettingsUIHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\{30AF1670-B459-98B4-F173-89DB22514C70}\\CameraSettingsUIHost.exe\""	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\CameraSettingsUIHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\{30AF1670-B459-98B4-F173-89DB22514C70}\\CameraSettingsUIHost.exe\""	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CameraSettingsUIHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\{30AF1670-B459-98B4-F173-89DB22514C70}\\CameraSettingsUIHost.exe\""	CameraSettingsUIHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\CameraSettingsUIHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\{30AF1670-B459-98B4-F173-89DB22514C70}\\CameraSettingsUIHost.exe\""	CameraSettingsUIHost.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
41	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp5D68.bmp"	CameraSettingsUIHost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3504 set thread context of 1328	3504	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe	89
PID 2664 set thread context of 1184	2664	CameraSettingsUIHost.exe	103
PID 2080 set thread context of 2968	2080	CameraSettingsUIHost.exe	111

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe
File opened for modification	C:\Windows\	CameraSettingsUIHost.exe
File opened for modification	C:\Windows\	CameraSettingsUIHost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CameraSettingsUIHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CameraSettingsUIHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CameraSettingsUIHost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2600	MicrosoftEdgeUpdate.exe
4208	cmd.exe
2472	PING.EXE
5480	cmd.exe
5632	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
1852	taskkill.exe
5532	taskkill.exe

Modifies Control Panel 4 IoCs

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{30AF1670-B459-98B4-F173-89DB22514C70}\\CameraSettingsUIHost.exe\""	CameraSettingsUIHost.exe
Key created	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\Desktop	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{30AF1670-B459-98B4-F173-89DB22514C70}\\CameraSettingsUIHost.exe\""	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe
Key created	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\Desktop	CameraSettingsUIHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000_Classes\Local Settings	CameraSettingsUIHost.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2472	PING.EXE
5632	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe
1184	CameraSettingsUIHost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1328	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe
Token: SeDebugPrivilege	1852	taskkill.exe
Token: SeDebugPrivilege	1184	CameraSettingsUIHost.exe
Token: SeDebugPrivilege	2968	CameraSettingsUIHost.exe
Token: 33	3932	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3932	AUDIODG.EXE
Token: SeDebugPrivilege	5532	taskkill.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 1328	3504	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe	89
PID 3504 wrote to memory of 1328	3504	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe	89
PID 3504 wrote to memory of 1328	3504	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe	89
PID 3504 wrote to memory of 1328	3504	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe	89
PID 3504 wrote to memory of 1328	3504	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe	89
PID 3504 wrote to memory of 1328	3504	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe	89
PID 3504 wrote to memory of 1328	3504	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe	89
PID 3504 wrote to memory of 1328	3504	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe	89
PID 3504 wrote to memory of 1328	3504	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe	89
PID 1328 wrote to memory of 2664	1328	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe	96
PID 1328 wrote to memory of 2664	1328	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe	96
PID 1328 wrote to memory of 2664	1328	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe	96
PID 1328 wrote to memory of 4208	1328	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe	97
PID 1328 wrote to memory of 4208	1328	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe	97
PID 1328 wrote to memory of 4208	1328	2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe	97
PID 4208 wrote to memory of 1852	4208	cmd.exe	99
PID 4208 wrote to memory of 1852	4208	cmd.exe	99
PID 4208 wrote to memory of 1852	4208	cmd.exe	99
PID 4208 wrote to memory of 2472	4208	cmd.exe	102
PID 4208 wrote to memory of 2472	4208	cmd.exe	102
PID 4208 wrote to memory of 2472	4208	cmd.exe	102
PID 2664 wrote to memory of 1184	2664	CameraSettingsUIHost.exe	103
PID 2664 wrote to memory of 1184	2664	CameraSettingsUIHost.exe	103
PID 2664 wrote to memory of 1184	2664	CameraSettingsUIHost.exe	103
PID 2664 wrote to memory of 1184	2664	CameraSettingsUIHost.exe	103
PID 2664 wrote to memory of 1184	2664	CameraSettingsUIHost.exe	103
PID 2664 wrote to memory of 1184	2664	CameraSettingsUIHost.exe	103
PID 2664 wrote to memory of 1184	2664	CameraSettingsUIHost.exe	103
PID 2664 wrote to memory of 1184	2664	CameraSettingsUIHost.exe	103
PID 2664 wrote to memory of 1184	2664	CameraSettingsUIHost.exe	103
PID 2080 wrote to memory of 2968	2080	CameraSettingsUIHost.exe	111
PID 2080 wrote to memory of 2968	2080	CameraSettingsUIHost.exe	111
PID 2080 wrote to memory of 2968	2080	CameraSettingsUIHost.exe	111
PID 2080 wrote to memory of 2968	2080	CameraSettingsUIHost.exe	111
PID 2080 wrote to memory of 2968	2080	CameraSettingsUIHost.exe	111
PID 2080 wrote to memory of 2968	2080	CameraSettingsUIHost.exe	111
PID 2080 wrote to memory of 2968	2080	CameraSettingsUIHost.exe	111
PID 2080 wrote to memory of 2968	2080	CameraSettingsUIHost.exe	111
PID 2080 wrote to memory of 2968	2080	CameraSettingsUIHost.exe	111
PID 1184 wrote to memory of 3532	1184	CameraSettingsUIHost.exe	115
PID 1184 wrote to memory of 3532	1184	CameraSettingsUIHost.exe	115
PID 3532 wrote to memory of 1984	3532	msedge.exe	116
PID 3532 wrote to memory of 1984	3532	msedge.exe	116
PID 1184 wrote to memory of 772	1184	CameraSettingsUIHost.exe	117
PID 1184 wrote to memory of 772	1184	CameraSettingsUIHost.exe	117
PID 3532 wrote to memory of 3604	3532	msedge.exe	118
PID 3532 wrote to memory of 3604	3532	msedge.exe	118
PID 3532 wrote to memory of 3604	3532	msedge.exe	118
PID 3532 wrote to memory of 3604	3532	msedge.exe	118
PID 3532 wrote to memory of 3604	3532	msedge.exe	118
PID 3532 wrote to memory of 3604	3532	msedge.exe	118
PID 3532 wrote to memory of 3604	3532	msedge.exe	118
PID 3532 wrote to memory of 3604	3532	msedge.exe	118
PID 3532 wrote to memory of 3604	3532	msedge.exe	118
PID 3532 wrote to memory of 3604	3532	msedge.exe	118
PID 3532 wrote to memory of 3604	3532	msedge.exe	118
PID 3532 wrote to memory of 3604	3532	msedge.exe	118
PID 3532 wrote to memory of 3604	3532	msedge.exe	118
PID 3532 wrote to memory of 3604	3532	msedge.exe	118
PID 3532 wrote to memory of 3604	3532	msedge.exe	118
PID 3532 wrote to memory of 3604	3532	msedge.exe	118
PID 3532 wrote to memory of 3604	3532	msedge.exe	118
PID 3532 wrote to memory of 3604	3532	msedge.exe	118
PID 3532 wrote to memory of 3604	3532	msedge.exe	118

C:\Users\Admin\AppData\Local\Temp\2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe
"C:\Users\Admin\AppData\Local\Temp\2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Users\Admin\AppData\Local\Temp\2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe
  "C:\Users\Admin\AppData\Local\Temp\2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Users\Admin\AppData\Roaming\{30AF1670-B459-98B4-F173-89DB22514C70}\CameraSettingsUIHost.exe
    "C:\Users\Admin\AppData\Roaming\{30AF1670-B459-98B4-F173-89DB22514C70}\CameraSettingsUIHost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Roaming\{30AF1670-B459-98B4-F173-89DB22514C70}\CameraSettingsUIHost.exe
      "C:\Users\Admin\AppData\Roaming\{30AF1670-B459-98B4-F173-89DB22514C70}\CameraSettingsUIHost.exe"
      4⤵
      Adds policy Run key to start application
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffbf36046f8,0x7ffbf3604708,0x7ffbf3604718
        6⤵
        
        PID:1984
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16644256844662288630,17374333105938794407,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
        6⤵
        
        PID:3604
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,16644256844662288630,17374333105938794407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
        6⤵
        
        PID:3028
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,16644256844662288630,17374333105938794407,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2444 /prefetch:8
        6⤵
        
        PID:4532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16644256844662288630,17374333105938794407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
        6⤵
        
        PID:2288
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16644256844662288630,17374333105938794407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
        6⤵
        
        PID:4436
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16644256844662288630,17374333105938794407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
        6⤵
        
        PID:4948
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16644256844662288630,17374333105938794407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
        6⤵
        
        PID:2852
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16644256844662288630,17374333105938794407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
        6⤵
        
        PID:3368
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16644256844662288630,17374333105938794407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
        6⤵
        
        PID:4344
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16644256844662288630,17374333105938794407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
        6⤵
        
        PID:2584
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16644256844662288630,17374333105938794407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
        6⤵
        
        PID:1856
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16644256844662288630,17374333105938794407,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
        6⤵
        
        PID:2620
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16644256844662288630,17374333105938794407,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
        6⤵
        
        PID:5220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16644256844662288630,17374333105938794407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
        6⤵
        
        PID:5340
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16644256844662288630,17374333105938794407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
        6⤵
        
        PID:6064
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        5⤵
        
        PID:772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.wewiso.win/85F0-207A-1E4B-0072-88BE?auto
        5⤵
        
        PID:1704
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffbf36046f8,0x7ffbf3604708,0x7ffbf3604718
        6⤵
        
        PID:1820
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
        5⤵
        
        PID:884
    - - C:\Windows\system32\cmd.exe
        
        /d /c taskkill /t /f /im "CameraSettingsUIHost.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{30AF1670-B459-98B4-F173-89DB22514C70}\CameraSettingsUIHost.exe" > NUL
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5480
      - C:\Windows\system32\taskkill.exe
        
        taskkill /t /f /im "CameraSettingsUIHost.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5532
      - C:\Windows\system32\PING.EXE
        
        ping -n 1 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5632
- - C:\Windows\SysWOW64\cmd.exe
    /d /c taskkill /t /f /im "2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe" > NUL
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /t /f /im "2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1852
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2472

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REVCMUNCNzAtNjdFNC00RDQ4LTlBQUMtQzFBRkM1MTVDNjdGfSIgdXNlcmlkPSJ7MUY1OTk3QjgtM0I5Mi00OEZGLTlEMUQtODVEQjExRURGMDYzfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RUUyMDc2N0UtQzYwMy00MjhCLUI3MDAtNEU0M0JCRjY5RDQ5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI2IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTY5NTg0MTE5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2600

C:\Users\Admin\AppData\Roaming\{30AF1670-B459-98B4-F173-89DB22514C70}\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Roaming\{30AF1670-B459-98B4-F173-89DB22514C70}\CameraSettingsUIHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Roaming\{30AF1670-B459-98B4-F173-89DB22514C70}\CameraSettingsUIHost.exe
  C:\Users\Admin\AppData\Roaming\{30AF1670-B459-98B4-F173-89DB22514C70}\CameraSettingsUIHost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1676

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x310 0x320
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
448b7c8c3b3464847b28d8a3d56186b3

SHA1
8d68fb17d1185229fbb11c83e3e1302c2241e80b

SHA256
5ac4fe094bdd264cdd05031eaa7b06b94cda44d134c9c1f719a82ad0e258cd05

SHA512
eac10e9de38a513b2acc73f695be5e037ffe54d8cde3c5fb032122822de1df5f895b7924a3ab0a05aa644a6a9f4ee6f45f3452ad15dc242eb199d74ccdc532aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
729bed0edd331ffcfd597470f90f3e66

SHA1
a6ff8c58f693fcd9ca68887dfa10c7db29571f1b

SHA256
1e19cfa75b8d279d6295258451a6e2e8fde33c529050e8975ad77d38eb901b88

SHA512
dc697b5b083d69b98aa75a6ffe402430231ac1bbb2b313218e77937bd1571171859b3532a4b441bb674f591568050a45e3d3a19a97d4dff73dae70e15f8e34be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
69c8b0b0e6ca795b7536a072d55cca74

SHA1
b1ad9915f8be283f61135124099077bcf536ba72

SHA256
1eda59a1d4d332afa5b69fdbc9c295984a77bfa2db6f0c1598f593b291d23faf

SHA512
30d277ea13c5862bda70c5274a51e9c1f0802939a9029c3d4f111ea117c30d230ea11486b771c34cb5be73cfd860e39c303a2fa99bc0deb3f2e539a67095f2e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
479fddb6c4a19922ce17879c51f8b630

SHA1
b2c883a2b7d34194c0901805ec83e2f7441717c3

SHA256
500fc0783c773f6da1af3e8c684b0a8796e76e99f1719a8d6cdeb4ea347a3870

SHA512
d54bb21ba10b94b959f88b8302ef78ce30b1f28e884aabfa66511bafa661e600c3577c87449b47bafa2c21c9ef337040e131eb606a016cc6e1caab91e93c3faa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
193876a268a89f965c9c77e313444da0

SHA1
f53953adb6d15d3a7ee4f15d650390394b0b00a1

SHA256
fa8005f43cf93f81e25efdbf2af84d38e86a4fff9b05012badf906c39ac7ccf7

SHA512
c8b46ccd0f0765f598369fac91fd86b4d467e097297dbd50aca74de32d1db255bc16091dce347db94676b3145cd08809da853af99f0a43571284c7cbfda905d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgC96B.tmp\System.dll

Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
d8aedabc516d044544fa1fe9ff7d8c8c

SHA1
084179e8971a513d97eebd74a27e51f4b75220fc

SHA256
43173c230344a43f28dbf545ad727ad273ba9e5a42da24a24a2ed92d26d5fa77

SHA512
74f0afff0809f9cf19b9c2ee2c6373093ee7f69f08191c8a32f472115e44d57eae9679b16403185adef74993288d5f0e0d8c691b2d7b11efffbb1167c172804e

Download Submit
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
ef43cdd16c466cb5090916db60f7649e

SHA1
056c7419e962e882f2fad6ffab03805d802ce269

SHA256
3a18a63aeb3755f470b7b671020c310cc2733690f4b8bb8d48e8d7e32a3a5daa

SHA512
5089dec3d4131d791cb9e176367556859d95229b0bd04cbddc8d6812309f41e05f48a9723a60c312df302bdeddf9a65c1596f0bc5e8f5ed04c410a8dc12a1669

Download Submit
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.url

Filesize
90B

MD5
f440b72f96afe531766d2a6444ad261a

SHA1
a62e800661ebe179fa9fae3416ea2681ff0298af

SHA256
a5ee11cd5c890655c15bfc201d6a94646cdac2afa37a76428e519d6c37d537e2

SHA512
90d1d1352fbfa8663279ab3d40a60a63c692a64ec87f9613cb73dd566ad3a8acb24921dafe0e50be3224b4fe41ba04785525fe03b6fedb60a3485cea26cea2a9

Download Submit
C:\Users\Admin\AppData\Roaming\24.svg

Filesize
1KB

MD5
c971329597cf88d8b5e87cf5557067d4

SHA1
7fc2be6bf2920d5d34c3bd7318288c4aa12c6c88

SHA256
e1fda58d0d4eeb62eb790f7e23594eac460db03a2d2373bfd13e94860dcf38b7

SHA512
045b48c780d3482bee79cecb372f36cb1e705eeda37c6130dd12dbd432bce1fcf04a9b3c68618a9c9995c29c7f93314cd8d2fc6f6c6d44ac150c556926307577

Download Submit
C:\Users\Admin\AppData\Roaming\3BSYBS1-DCSA_Alerts_05242015040017.xml

Filesize
922B

MD5
b327f714f4ca746733f335129136f01e

SHA1
9e73ebaf229d43dba61da0fba7392039d99cde0b

SHA256
e1fa52366cfb7518c1269a6d52de74b567a0c352a141725a7f35abca022dee1b

SHA512
86cd7acd2e692ddd4f07073b973b4ff18cc4d31faff54d320a8421eeb265059279f7c28a22112e23cee03e1d2cb37b9a1a329a2b21df7d89acfe9a842c320d69

Download Submit
C:\Users\Admin\AppData\Roaming\90msp-RKSJ-V

Filesize
4KB

MD5
2ffc46a244c8c828e352ff00ecd1998d

SHA1
027361be101f81885d640bdc37f1d570ae7641ae

SHA256
0bbdb01bac6545d87b2dc2fe5d198ff8120ef7c642a11b554a66bfe0a34e7a17

SHA512
d09fef8fcb254157faef211e2133184f8e6d1e4a33b0074b74fd762c8f4b1881ef1af2b839a1df9cb427c774a3be9f94f12faa7a8f25002d6b1c292f73e6657e

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe-Japan1-1

Filesize
3KB

MD5
781ccb2bc5b2617ee1b745cfaed84147

SHA1
afdcb2f84a6333341615a0f4ad3a0b6b093d12ab

SHA256
8e5cb4e664b24787bc83420da55594088bb080a4461ae818a5ab5727d5f678bb

SHA512
87722978ab8fd9c26ea6cd79b177a402a73ae74fd46bf670dd324ac7b8f1ef1899017b9822eadec991958cba5a197acdf25bdfe2348157bd47a73b6b97b471ae

Download Submit
C:\Users\Admin\AppData\Roaming\Athens

Filesize
1KB

MD5
ad50b0f6ed4782e60822c8d1abba7363

SHA1
a167ba44366dd1cfd7b532a686885ec9ea1ce18c

SHA256
12050432abe192ad58ab204a8da8026a67c51f1d10f3cc8806751b9126873836

SHA512
d2a16e875126da763d4e2e5dda4a62dc4e6388f48778359726fa30976d8dd4ba9fc124f9753f8c166b304fa0d426ed8bc9c308a8fda6bdfc95674dfbfedf8d28

Download Submit
C:\Users\Admin\AppData\Roaming\Bangkok

Filesize
65B

MD5
e3c4113fe252d3c46dbaa35eef7f02f4

SHA1
265bd42d836078f774b7a6f58fb965935b78c578

SHA256
59ef2c2a894a1dbf1114e63e99edac386a023ae32c6ec9588951ddbe8debd676

SHA512
b3e54a6af4471de2ff59c2c4295e3681b13e1418017e14ed152c791e4aafe7cbb18a608b7c9a6b485d3a063bf9eb64a9b74248733e9286a83c869a12d3d17482

Download Submit
C:\Users\Admin\AppData\Roaming\Bangui

Filesize
65B

MD5
6dfc97c20597bdd8f62955bf1ed3a6ed

SHA1
137177304be17a23b467db93935347a0b9996ab8

SHA256
885dec56791f6ddd711930b61b2ed390066ea3b676e26a7f42681cf52277660d

SHA512
8c82f0bd3a69a80131f5ab0cd4b6a7d2a3698687f1d34a04ad7615be8ec990911b23749d54c039d4dfebeb2880c05f1122e6fb43adcf33d9955926c23b58560a

Download Submit
C:\Users\Admin\AppData\Roaming\CabDLL.dll

Filesize
22KB

MD5
abf22a87e1a591a9c3a868bd68b90c25

SHA1
c4554798997aa1762a7606d6ec8c8449acac6a6d

SHA256
c27579fc470d0e6ddd80dc010df6efb4f269d07d8881e8286717fd6b5eb5fafc

SHA512
781a7893bd7ae9521024e40793e31c67bb132d9b66e3de230a593be200a14d2f307e28ee684d537b74ae58c403808f099ff25a4d84b24936f01a881890d0e110

Download Submit
C:\Users\Admin\AppData\Roaming\Cyanotype.ahu

Filesize
100B

MD5
48d5dff58272563763841b8331e1f3a9

SHA1
4744d508450a84cdb940e382a849d595c93bbe60

SHA256
d700cdbaca0f987fae58df3a380f8d7aa54eb7241fb0ec66e98d2d5dd2a1ac2d

SHA512
22550cedea6c85b509df4636785e8644f88a235dd1e84df4665364d47af55cfeedb2872e3d58adde73513f9cf86520ec7c27694922b3a65bc37bc29b8965fc87

Download Submit
C:\Users\Admin\AppData\Roaming\Fortaleza

Filesize
377B

MD5
b6e775115b2708ec3df5686e5569b0e5

SHA1
2b346e081509c77a44be5b8c513b401fe4462249

SHA256
710bca1ee537bb94ce42502053561946cbbde7bb0eee46b4939cfd771cbbdc1c

SHA512
29c6cd9ac77c00d0e71e3d7ac21bda53ae07921cda92d3c94c8dd72dbd987c69df3b162efa85959fb5626840f4b213ebc5ae9079951e51ce0c4ddfd113e94d96

Download Submit
C:\Users\Admin\AppData\Roaming\GIF 128 No Dither.irs

Filesize
1KB

MD5
1cce87ca891f858873df3581d53080db

SHA1
bb1f732f8dc8dcfe5674f583b76adb1acba26cd1

SHA256
8415d196c71520811cf5245e00fa5e94ebdec10345ec38ba5a4070f3b0d76105

SHA512
226923f64dcbcecb13240bdb9898bdea0f6ecc33b73c7b79fa8324c6cbe09957bca4f945765753d9017da126a974217bd6e0de1ed8c38b955800c2425f941ff7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\CameraSettingsUIHost.lnk

Filesize
1KB

MD5
e330f04497190b1390ac1cc92fe2f6c9

SHA1
0fa53a278c5e08c2bd3e52b5fe595ed6717bcc8a

SHA256
66f5d178f32a8f67dcd850ca61d5205a1b0648b94289f57f0db6126c647a00d8

SHA512
f1d52eda3682a4771aa69d7909266044c0297d83bd818e3c44886c872898c00d9f155fe1279838e739d49cb52f9120c9f0fae6ac41a001634d7e9b6701cadc99

Download Submit
C:\Users\Admin\AppData\Roaming\WearHop.9

Filesize
129KB

MD5
f580b0eaf84d48c12bd41bd69f4f9afc

SHA1
668af376385b795ac186f678f0bb4ed8dc26df68

SHA256
a57ce86f238509a59b85e8ab170466c233d80fb0f0171d32f7c6a5d1753cf5fa

SHA512
aa694d31935e710b5b87292a04c450b1403423dbed1ebfefd2747f144639906441e5bb813cbbd28165209b90ea3b45e7751815b0bc276d49457c8e960f2af90e

Download Submit
C:\Users\Admin\AppData\Roaming\accelerometer.png

Filesize
3KB

MD5
ee605850778b585f63c6382ab05e8112

SHA1
4463ca8edb3c221fd0bec825822d0f77b71d2e10

SHA256
583e9114740dd5e71aec0a4bab86d644c1856a3008d248f41502fc4368b62398

SHA512
ab521ba8d4b06b0d440d80a50b2439ec983a26df943021c82a9cabf931c352e11e6f8e12c5b97ffaed30ea60bf989c04fe5e96237cab6dc06241c19a4464e50b

Download Submit
C:\Users\Admin\AppData\Roaming\app_updater_smartbutton_normal.png

Filesize
2KB

MD5
4e7a4217392410d55c48d1dabae0cb38

SHA1
7173d944ffb06977e8f7b8b214ecd4142ed3b9b7

SHA256
aca70b5b238f37c84fa9a3b6db39d56abf120629e4ded88b5270987bc7eeaf96

SHA512
034b581edc5d3cc810394e8a61460c0613553f2f379c62c036659e862c27cc42d8ad6f4c366bd2133a5ea53c4ee3c748839accb6755e9f9100107e5d305665e5

Download Submit
C:\Users\Admin\AppData\Roaming\aw_main_header.jpg

Filesize
4KB

MD5
ccc85d0cd50498698b6884b0c01eceb5

SHA1
500c60fb341f8834ee26bb5ada33f22dcfffbda7

SHA256
e3bde6b2633f4f8f1482bd24394b70a9510df849ec912c76f7a68be867a0cb7a

SHA512
e4892b9d6a4d6b2008052d9a53b1ca04185f26ca710e0cab6e4bc0deaba28efba6dc3664bbe6267c0f4a2c888fed8ecc3eef19ae1e6a019ac81cac0f5d4ee893

Download Submit
C:\Users\Admin\AppData\Roaming\blue 072 bl 1.ADO

Filesize
524B

MD5
f149b2ba2027e4023f5c77af4c3a87a0

SHA1
b345e170c51b10af093984932eea53f4ae73d106

SHA256
b7d7d04467e439cacd5d52d515b8d3d75ea9d27370808da0b6bc1d3f641be5ea

SHA512
55703f521c008e8c9da345493584568f923acda7f34b831ef8c51a8247a9d1cd3fa8065d061ed796d60e456d7141c88555bba8cea61e6d3c230576f9d6f21f9e

Download Submit
C:\Users\Admin\AppData\Roaming\btn-back-static.png

Filesize
3KB

MD5
81e9e2761a1abaa59f61881664ce5a88

SHA1
049529b80a5bb5b7ab4e1b3e7c519bd4a833243f

SHA256
5aefe8f5e8ef8c6d9b68ddd22b530b0971c867d3d48bc30a5269ceaf2274901a

SHA512
62d773f2ee5678e978c4bfb249f3b043c9c777eb45a6d9891e27eb7ab80f1c2bc05993329a3f88c1370f19d31819471a32e27db116b9f7a19d70690b6e6d0179

Download Submit
C:\Users\Admin\AppData\Roaming\caution.png

Filesize
887B

MD5
c81b5317d4908545f44864fce61f1851

SHA1
2845725264796608d781187d95d7d41ab872dea5

SHA256
e9faf89885257ccdf9b9cdea3c4104079977d43d907fd948f4c1526aee0c923a

SHA512
f1cfa4d3aaa99bfcd51fd39314b75547e5ba26df5daf3ca432d95941e42099b5e429367ee80caae0f4e00ce5a62a4e5c4eea9e7b4deddc82c68ba7fe382a51e8

Download Submit
C:\Users\Admin\AppData\Roaming\cpu.png

Filesize
4KB

MD5
21ddceeb0c385676eb35365c4ff1d24d

SHA1
9cbcd87590720bf2ce80304d0b298fbb44cb61e3

SHA256
82a9d562fac82452d5a767c2d0355e2e8f2d8550b62091522ab3985f6ec7ed0f

SHA512
15e115831e4ba38e8d73044cf50de8f8777faba3d1d099dc5eaba7af53ff87cb7c752f708b25aee35e1a416cac9debcf4f94e85d45a58ab109ac45d435c22840

Download Submit
C:\Users\Admin\AppData\Roaming\dingbat.font.family.xml

Filesize
1KB

MD5
ca0b373b889e605d1b85dde93f301e63

SHA1
a72b53f9f77f979bde20247b331b1809b58e1cba

SHA256
7e1958d6db091553d31366647375ddf1b9a3a747dfbbeb067b51d3b04be97f6f

SHA512
4adeaabb6f75859d686d88089b3be8ebe81a973aaf73fa28571961599f70143f356460ec4e10054c8864f0a15418ab1797f0418a4bbe16e68f6ae8cec7d37944

Download Submit
C:\Users\Admin\AppData\Roaming\draft.watermark.image.xml

Filesize
967B

MD5
81a14090a89ea84f314bb42c45978088

SHA1
6eed3a6053cb148bda8bc91997fc72217d53b24a

SHA256
b33347a75bba19d1832ac914dae86097b9485ff3d64c33741522c7f28c349c39

SHA512
00b77fd31a1cdb04adb57db4dbe15e2640f0ba411667378fed197ecc49d2af86e23b37cfb99b1006fca177ddd7362cf5cce0c5ec8646d63c10dbb4a22b846525

Download Submit
C:\Users\Admin\AppData\Roaming\excel.csv

Filesize
1KB

MD5
802d14c8b7994818f8da8d3c16ceca0c

SHA1
9405d119653f03bbdf9a12df89e66476b26810d6

SHA256
739a7e4c197fc12287217eab7e52ed30a2b50cff7ac1905bfa62e4ded8d37b35

SHA512
0889bdedfb4cf54eb2bb1eb3be6398d9c7bdbbc6b005522a7487c99c70908ee2cb9b954a523f16693ead2dc932028c051088faca1a6a56d89a0a764047da29ff

Download Submit
C:\Users\Admin\AppData\Roaming\footer.hr.xml

Filesize
881B

MD5
e586476b3a6efc0756e821207fa287c1

SHA1
b146c212391eda28e0d7325ebb2c79d357023ef6

SHA256
4fb548b7299ec5169152b442f494e458298e3897c98f29a48145768b40d07bb9

SHA512
f4866ac94712bd47f187df835ebfe5543e55d8879c305715ceaab47b2bc08fdce658b6e24f59ed82a78ca8ff4bdb13f63475a8a1e030a8ec97326f1f719dcf3a

Download Submit
C:\Users\Admin\AppData\Roaming\formal.object.properties.xml

Filesize
1KB

MD5
8caf19a4defdf0503c9586e272e88b3d

SHA1
7448169d23bce710bb687eaf10da08119bfe7ac2

SHA256
77ce6bd5a30454e48f216d504f592f84d18fe59d0b52cd89787b4cdb06420be8

SHA512
d4c5dc1eaed5fa90cc0d2c269bab99bb55f25eaa81cd7a5a894745b8ee349fc4e9db837072800ce3fec6f16d794e4e11f336c488bbbc0c5f011176ee705e626a

Download Submit
C:\Users\Admin\AppData\Roaming\{30AF1670-B459-98B4-F173-89DB22514C70}\CameraSettingsUIHost.exe

Filesize
244KB

MD5
0c8d0933037436b674f2b8478ec5baba

SHA1
e8a7034c43d84b18fb93dc02e8a0b818a645ece1

SHA256
2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1

SHA512
305050c391f443007e3f6e2e4ec60997da69db406b6d85efd19ed9f71683dbc9697280307867237b24034ebe9d99e8f249fc5fc75cb5bfe55721c283261ab144

Download Submit
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.vbs

Filesize
231B

MD5
9d8c4bfbd009c4d6001e2125abaa8b02

SHA1
cd040558172b5fca5b200447a281843956243741

SHA256
a652297987f14317100f8c5f7eb26d1bc67eb8a64f0b39b72b5fd5046a9f29b0

SHA512
c4c84f43642b805a105acce9ebc9f01aa0e6ef553ea32be3f8b890fc7440f0b7d3ddf99b9336bce20ce7a3d9b9f6434a704651a8af425ffc8407ba39d5de735f

Download Submit
memory/1184-124-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-495-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-130-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-131-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-534-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-537-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-513-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-201-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-202-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-203-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-204-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-125-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-123-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-523-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-526-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-498-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-507-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-504-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-501-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-129-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-492-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-520-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-510-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-516-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-531-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1184-529-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1328-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1328-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1328-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1328-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1328-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1328-36-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2080-194-0x00000000021A0000-0x00000000021AE000-memory.dmp

Filesize
56KB

Download
memory/2664-120-0x00000000021A0000-0x00000000021AE000-memory.dmp

Filesize
56KB

Download
memory/2968-198-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2968-197-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3504-38-0x0000000002730000-0x000000000273E000-memory.dmp

Filesize
56KB

Download