Analysis
-
max time kernel
139s -
max time network
133s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
-
submitted
05/03/2025, 22:30
General
-
Target
b2f2ac6419392e3202cf057ef928104f795afb3e96747d85a62937cc6c7d8c9b.exe
-
Size
353KB
-
MD5
6e352cd0e6130ec8e16c0a212f0ddfa2
-
SHA1
fb4a19beb12dac8cc3ec5bf0544c2d7260dd8eac
-
SHA256
b2f2ac6419392e3202cf057ef928104f795afb3e96747d85a62937cc6c7d8c9b
-
SHA512
3b9776eb4de648bb550af2252d16d5708d01dbf89de518f9fcab00f5fb44a4cc7ab8fcf529a990f8c4c4dd79d664647d5eb72768c5c5eb2b5e3ceec9c279a164
-
SSDEEP
6144:/vHLtLMCHg3FxbyypAlFy1BWfc3xhacB58A22LU1Z2B0lrTs4HybaY:/fLhMCHgVx2ypgFy1BWfyEL2vOTsCY
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\_HELP_HELP_HELP_RWVHLI9K_.hta
Family
cerber
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>CERBER RANSOMWARE: Instructions</title>
<HTA:APPLICATION APPLICATIONNAME="Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize">
<style>
a {
color: #04a;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #222;
font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif;
font-size: 13pt;
line-height: 19pt;
}
body, h1 {
margin: 0;
padding: 0;
}
hr {
color: #bda;
height: 2pt;
margin: 1.5%;
}
h1 {
color: #555;
font-size: 14pt;
}
ol {
padding-left: 2.5%;
}
ol li {
padding-bottom: 13pt;
}
small {
color: #555;
font-size: 11pt;
}
ul {
list-style-type: none;
margin: 0;
padding: 0;
}
.button {
color: #04a;
cursor: pointer;
}
.button:hover {
text-decoration: underline;
}
.container {
background-color: #fff;
border: 2pt solid #c7c7c7;
margin: 5%;
min-width: 850px;
padding: 2.5%;
}
.header {
border-bottom: 2pt solid #c7c7c7;
margin-bottom: 2.5%;
padding-bottom: 2.5%;
}
.hr {
background: #bda;
display: block;
height: 2pt;
margin-top: 1.5%;
margin-bottom: 1.5%;
overflow: hidden;
width: 100%;
}
.info {
background-color: #efe;
border: 2pt solid #bda;
display: inline-block;
padding: 1.5%;
text-align: center;
}
.updating {
color: red;
display: none;
padding-left: 35px;
background: url('data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=') left no-repeat;
}
#change_language {
float: right;
}
#change_language, #texts div {
display: none;
}
</style>
</head>
<body>
<div class="container">
<div class="header">
<a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a>
<h1>CERBER RANSOMWARE</h1>
<small id="title">Instructions</small>
</div>
<div id="languages">
<p>☑ Select your language</p>
<ul>
<li><a href="#" title="English" onclick="return showBlock('en');">English</a></li>
<li><a href="#" title="Arabic" onclick="return showBlock('ar');">العربية</a></li>
<li><a href="#" title="Chinese" onclick="return showBlock('zh');">中文</a></li>
<li><a href="#" title="Dutch" onclick="return showBlock('nl');">Nederlands</a></li>
<li><a href="#" title="French" onclick="return showBlock('fr');">Français</a></li>
<li><a href="#" title="German" onclick="return showBlock('de');">Deutsch</a></li>
<li><a href="#" title="Italian" onclick="return showBlock('it');">Italiano</a></li>
<li><a href="#" title="Japanese" onclick="return showBlock('ja');">日本語</a></li>
<li><a href="#" title="Korean" onclick="return showBlock('ko');">한국어</a></li>
<li><a href="#" title="Polish" onclick="return showBlock('pl');">Polski</a></li>
<li><a href="#" title="Portuguese" onclick="return showBlock('pt');">Português</a></li>
<li><a href="#" title="Spanish" onclick="return showBlock('es');">Español</a></li>
<li><a href="#" title="Turkish" onclick="return showBlock('tr');">Türkçe</a></li>
</ul>
</div>
<div id="texts">
<div id="en">
<p>Can't you find the necessary files?<br>Is the content of your files not readable?</p>
<p>It is normal because the files' names and the data in your files have been encrypted by "Cerber Ransomware".</p>
<p>It means your files are NOT damaged! Your files are modified only. This modification is reversible.<br>From now it is not possible to use your files until they will be decrypted.</p>
<p>The only way to decrypt your files safely is to buy the special decryption software "Cerber Decryptor".</p>
<p>Any attempts to restore your files with the third-party software will be fatal for your files!</p>
<hr>
<p class="w331208">You can proceed with purchasing of the decryption software at your personal page:</p>
<p><span class="info"><span class="updating">Please wait...</span><a class="url" href="http://p27dokhpz2n7nvgr.onion.to/D111-1DCA-36C8-0006-4DAE" target="_blank">http://p27dokhpz2n7nvgr.onion.to/D111-1DCA-36C8-0006-4DAE</a><hr><a href="http://p27dokhpz2n7nvgr.onion.cab/D111-1DCA-36C8-0006-4DAE" target="_blank">http://p27dokhpz2n7nvgr.onion.cab/D111-1DCA-36C8-0006-4DAE</a><hr><a href="http://p27dokhpz2n7nvgr.onion.nu/D111-1DCA-36C8-0006-4DAE" target="_blank">http://p27dokhpz2n7nvgr.onion.nu/D111-1DCA-36C8-0006-4DAE</a><hr><a href="http://p27dokhpz2n7nvgr.onion.link/D111-1DCA-36C8-0006-4DAE" target="_blank">http://p27dokhpz2n7nvgr.onion.link/D111-1DCA-36C8-0006-4DAE</a><hr><a href="http://p27dokhpz2n7nvgr.tor2web.org/D111-1DCA-36C8-0006-4DAE" target="_blank">http://p27dokhpz2n7nvgr.tor2web.org/D111-1DCA-36C8-0006-4DAE</a></span></p>
<p>If this page cannot be opened <span class="button" onclick="return updateUrl('en');">click here</span> to get a new address of your personal page.<br><br>If the address of your personal page is the same as before after you tried to get a new one,<br>you can try to get a new address in one hour.</p>
<p>At this page you will receive the complete instructions how to buy the decryption software for restoring all your files.</p>
<p>Also at this page you will be able to restore any one file for free to be sure "Cerber Decryptor" will help you.</p>
<hr>
<p>If your personal page is not available for a long period there is another way to open your personal page - installation and use of Tor Browser:</p>
<ol>
<li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>
<li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li>
<li>wait for the site loading;</li>
<li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li>
<li>run Tor Browser;</li>
<li>connect with the button "Connect" (if you use the English version);</li>
<li>a normal Internet browser window will be opened after the initialization;</li>
<li>type or copy the address <br><span class="info">http://p27dokhpz2n7nvgr.onion/D111-1DCA-36C8-0006-4DAE</span><br> in this browser address bar;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li>
</ol>
<p>If you have any problems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the search bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use.</p>
<hr>
<p><strong>Additional information:</strong></p>
<p>You will find the instructions ("*_HELP_HELP_HELP_*.hta") for restoring your files in any folder with your encrypted files.</p>
<p>The instructions "*_HELP_HELP_HELP_*.hta" in the folders with your encrypted files are not viruses! The instructions "*_HELP_HELP_HELP_*.hta" will help you to decrypt your files.</p>
<p>Remember! The worst situation already happened and now the future of your files depends on your determination and speed of your actions.</p>
</div>
<div id="ar" style="direction: rtl;">
<p>لا يمكنك العثور على الملفات الضرورية؟<br>هل محتوى الملفات غير قابل للقراءة؟</p>
<p>هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware".</p>
<p>وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا.<br>ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها.</p>
<p>الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor".</p>
<p>إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك!</p>
<hr>
<p>يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية:</p>
<p><span class="info"><span class="updating">أرجو الإنتظار...</span><a class="url" href="http://p27dokhpz2n7nvgr.onion.to/D111-1DCA-36C8-0006-4DAE" target="_blank">http://p27dokhpz2n7nvgr.onion.to/D111-1DCA-36C8-0006-4DAE</a><hr><a href="http://p27dokhpz2n7nvgr.onion.cab/D111-1DCA-36C8-0006-4DAE" target="_blank">http://p27dokhpz2n7nvgr.onion.cab/D111-1DCA-36C8-0006-4DAE</a><hr><a href="http://p27dokhpz2n7nvgr.onion.nu/D111-1DCA-36C8-0006-4DAE" target="_blank">http://p27dokhpz2n7nvgr.onion.nu/D111-1DCA-36C8-0006-4DAE</a><hr><a href="http://p27dokhpz2n7nvgr.onion.link/D111-1DCA-36C8-0006-4DAE" target="_blank">http://p27dokhpz2n7nvgr.onion.link/D111-1DCA-36C8-0006-4DAE</a><hr><a href="http://p27dokhpz2n7nvgr.tor2web.org/D111-1DCA-36C8-0006-4DAE" target="_blank">http://p27dokhpz2n7nvgr.tor2web.org/D111-1DCA-36C8-0006-4DAE</a></span></p>
<p>في حالة تعذر فتح هذه الصفحة <span class="button" onclick="return updateUrl('ar');">انقر هنا</span> لإنشاء عنوان جديد لصفحتك الشخصية.</p>
<p>في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك.</p>
<p>في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك.</p>
<hr>
<p>إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor:</p>
<ol>
<li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li>
<li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li>
<li>انتظر لتحميل الموقع;</li>
<li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li>
<li>قم بتشغيل متصفح Tor;</li>
<li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li>
<li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li>
<li>قم بكتابة أو نسخ العنوان <br><span class="info">http://p27dokhpz2n7nvgr.onion/D111-1DCA-36C8-0006-4DAE</span><br> في شريط العنوان في المتصفح;</li>
<li>اضغط ENTER;</li>
<li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li>
</ol>
<p>إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه.</p>
<hr>
<p><strong>معلومات إضافية:</strong></p>
<p>سوف تجد إرشادات استعادة الملفات الخاصة بك ("*_HELP_HELP_HELP_*") في أي مجلد مع ملفاتك المشفرة.</p>
<p>الإرشادات ("*_HELP_HELP_HELP_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_HELP_HELP_HELP_*") سوف تساعدك على فك تشفير الملفات الخاصة بك.</p>
<p>تذكر أن أسوأ موقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك.</p>
</div>
<div id="zh">
<p>您找不到所需的文件?<br>您文件的内容无法阅读?</p>
<p>这是正常的,因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。</p>
<p>这意味着您的文件并没有损坏!您的文件只是被修改了,这个修改是可逆的,解密之前您无法使用您的文件。</p>
<p>安全解密您文件的唯一方式是购买特别的解密软件“Cerber Decryptor”。</p>
<p>任何使用第三方软件恢复您文件的方式对您的文件来说都将是致命的!</p>
<hr>
<p>您可以在您的个人页面上购买解密软件:</p>
<p><span class="info"><span class="updating">请稍候...</span><a class="url" href="http://p27dokhpz2n7nvgr.onion.to/D111-1DCA-36C8-0006-4DAE" target="_blank">http://p27dokhpz2n7nvgr.onion.to/D111-1DCA-36C8-0006-4DAE</a><hr><a href="http://p27dokhpz2n7nvgr.onion.cab/D111-1DCA-36C8-0006-4DAE" target="_blank">http://p27dokhpz2n7nvgr.onion.cab/D111-1DCA-36C8-0006-4DAE</a><hr><a href="http://p27dokhpz2n7nvgr.onion.nu/D111-1DCA-36C8-0006-4DAE" target="_blank">http://p27dokhpz2n7nvgr.onion.nu/D111-1DCA-36C8-0006-4DAE</a><hr><a href="http://p27dokhpz2n7nvgr.onion.link/D111-1DCA-36C8-0006-4DAE" target="_blank">http://p27dokhpz2n7nvgr.onion.link/D111-1DCA-36C8-0006-4DAE</a><hr><a href="http://p27dokhpz2n7nvgr.tor2web.org/D111-1DCA-36C8-0006-4DAE" target="_blank">http://p27dokhpz2n7nvgr.tor2web.org/D111-1DCA-36C8-0006-4DAE</a></span></p>
<p>如果这个页面无法打开,请 <span class="button" onclick="return updateUrl('zh');">点击这里</span> 生成您个人页面的新地址。</p>
<p>您将在这个页面上看到如何购买解密软件以恢复您的文件。</p>
<p>您可以在这个页面使用“Cerber Decryptor”免费恢复任何文件。</p>
<hr>
<p>如果您的个人页面长期不可用,有其他方法可以打开您的个人页面 - 安装并使用 Tor 浏览器:</p>
<ol>
<li>使用您的上网浏览器(如果您不知道使用 Internet Explorer 的话);</li>
<li>在浏览器的地址栏输入或复制地址 <a href="https://www.torproject.org/download/download-easy.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Cerber family
-
Contacts a large (1089) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 44 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 20 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies registry class 17 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 11 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2f2ac6419392e3202cf057ef928104f795afb3e96747d85a62937cc6c7d8c9b.exe"C:\Users\Admin\AppData\Local\Temp\b2f2ac6419392e3202cf057ef928104f795afb3e96747d85a62937cc6c7d8c9b.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b2f2ac6419392e3202cf057ef928104f795afb3e96747d85a62937cc6c7d8c9b.exe"C:\Users\Admin\AppData\Local\Temp\b2f2ac6419392e3202cf057ef928104f795afb3e96747d85a62937cc6c7d8c9b.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\b2f2ac6419392e3202cf057ef928104f795afb3e96747d85a62937cc6c7d8c9b.exe"C:\Users\Admin\AppData\Local\Temp\b2f2ac6419392e3202cf057ef928104f795afb3e96747d85a62937cc6c7d8c9b.exe"2⤵
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_HELP_HELP_HELP_5J7ZE2L_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im "b2f2ac6419392e3202cf057ef928104f795afb3e96747d85a62937cc6c7d8c9b.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004CC1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\d256f2cb8aad4f97885236d47d60a8cf /t 1912 /p 22961⤵
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\OptimizeHide.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Music.UI.exe"C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Music.UI.exe" -ServerName:Microsoft.ZuneMusic.AppX48dcrcgzqqdshm3kf61t0cm5e9pyd6h6.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_HELP_HELP_HELP_5J7ZE2L_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5ee240fab5b2628d6e8082bd05c20bccd
SHA1b5ce592ba733469c70f4dd7f13718bca28c6934b
SHA256292287ed220d5dbe10beb352571b82e14dd1db25f43798beef87ecc38da73fca
SHA5122c4de726c5cf47b6fc66a8c502b8aee9239ff3e3bbc074ae85660c380f88fabdd8131bd95256353a0a708a9b762329f383d865dbe52482415699a9990411432d
-
Filesize
45B
MD5674a522d4da661e10bf2faeb26211654
SHA153b554607f83d8c4af7a15a855c93933c1334efa
SHA256493800fe0860fe9847458551d720bdbddfac2b45530cf39339e0ec34bf4dc169
SHA5128e229a57a169948f0e0726a31e0602d99eed38894c9c707d7966ef91997b946b4fb010099a086b9c4d8c348355c6bf947f7172fcd100af7272c0c28a180daa91
-
Filesize
18KB
MD5594ebacaa34816a92c4f5ea416fce6fe
SHA11865b81b714a37999b050b1b517a007cd27b4625
SHA256c93f791502b49f7c2fbedcd3b8b70f64c5d0c92f232baedf75596863762e1b92
SHA512af9d582f0afbfb47ec50a0724940d311aeef66293033d7595eea205e7bc350eec5f8b4b1d43eb49112af243176a1265fbd6d98fbf00465e90df38c75ae053e6e
-
Filesize
426KB
MD5fb1e99c958c628c0f9e776871910af1a
SHA1c98fea40271b692d4520295ca8c5915c5766fb0c
SHA25695cfdbe115d2d248bcc20b16c0ce003a1e4e650d62367dca2c5fe759e330b784
SHA51248d6d96f11c54edd1f954caafa432c7922f096a92046641ec6ce354bc9a7517d897a45ed83107ad52cbf44a13bacd94c4c637a95890714ec3cdcb6ff10000b99
-
Filesize
74KB
MD5260346768306658b13d8ade7fb1b955d
SHA1c129918c0f32919f51bdd6e3526d66fffb91e252
SHA256245ce7b900e11fd6fc47b7ea0c8b782b28c1f2bc40ac7b32e032180e44fe36cb
SHA512a89d957d676837150688380e18937836d710eddead857f80297f6d8eb7e309b1afa9cf9908d807f358cbe851a4c8608b92a7753bda4ec46cecdf91fa95a2041b
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
