cerber | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

max time kernel
141s
max time network
138s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
20/03/2025, 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

cerber defense_evasion discovery persistence privilege_escalation ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\_R_E_A_D___T_H_I_S___KRPN2C8E_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/0143-EC4B-AFFE-0098-BB59 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/0143-EC4B-AFFE-0098-BB59 2. http://xpcx6erilkjced3j.19kdeh.top/0143-EC4B-AFFE-0098-BB59 3. http://xpcx6erilkjced3j.1mpsnr.top/0143-EC4B-AFFE-0098-BB59 4. http://xpcx6erilkjced3j.18ey8e.top/0143-EC4B-AFFE-0098-BB59 5. http://xpcx6erilkjced3j.17gcun.top/0143-EC4B-AFFE-0098-BB59 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/0143-EC4B-AFFE-0098-BB59

http://xpcx6erilkjced3j.1n5mod.top/0143-EC4B-AFFE-0098-BB59

http://xpcx6erilkjced3j.19kdeh.top/0143-EC4B-AFFE-0098-BB59

http://xpcx6erilkjced3j.1mpsnr.top/0143-EC4B-AFFE-0098-BB59

http://xpcx6erilkjced3j.18ey8e.top/0143-EC4B-AFFE-0098-BB59

http://xpcx6erilkjced3j.17gcun.top/0143-EC4B-AFFE-0098-BB59

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber
Contacts a large (1105) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Downloads MZ/PE file 1 IoCs

flow	pid	Process
86	5172	msedge.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4640	netsh.exe
2008	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	Cerber5.exe

Executes dropped EXE 2 IoCs

pid	Process
1052	Cerber5.exe
3992	Cerber5.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\m:	Cerber5.exe
File opened (read-only)	\??\p:	Cerber5.exe
File opened (read-only)	\??\u:	Cerber5.exe
File opened (read-only)	\??\k:	Cerber5.exe
File opened (read-only)	\??\n:	Cerber5.exe
File opened (read-only)	\??\q:	Cerber5.exe
File opened (read-only)	\??\r:	Cerber5.exe
File opened (read-only)	\??\t:	Cerber5.exe
File opened (read-only)	\??\k:	Cerber5.exe
File opened (read-only)	\??\y:	Cerber5.exe
File opened (read-only)	\??\w:	Cerber5.exe
File opened (read-only)	\??\q:	Cerber5.exe
File opened (read-only)	\??\w:	Cerber5.exe
File opened (read-only)	\??\a:	Cerber5.exe
File opened (read-only)	\??\l:	Cerber5.exe
File opened (read-only)	\??\y:	Cerber5.exe
File opened (read-only)	\??\a:	Cerber5.exe
File opened (read-only)	\??\e:	Cerber5.exe
File opened (read-only)	\??\g:	Cerber5.exe
File opened (read-only)	\??\h:	Cerber5.exe
File opened (read-only)	\??\e:	Cerber5.exe
File opened (read-only)	\??\u:	Cerber5.exe
File opened (read-only)	\??\b:	Cerber5.exe
File opened (read-only)	\??\l:	Cerber5.exe
File opened (read-only)	\??\s:	Cerber5.exe
File opened (read-only)	\??\x:	Cerber5.exe
File opened (read-only)	\??\z:	Cerber5.exe
File opened (read-only)	\??\z:	Cerber5.exe
File opened (read-only)	\??\j:	Cerber5.exe
File opened (read-only)	\??\n:	Cerber5.exe
File opened (read-only)	\??\o:	Cerber5.exe
File opened (read-only)	\??\v:	Cerber5.exe
File opened (read-only)	\??\v:	Cerber5.exe
File opened (read-only)	\??\i:	Cerber5.exe
File opened (read-only)	\??\r:	Cerber5.exe
File opened (read-only)	\??\b:	Cerber5.exe
File opened (read-only)	\??\g:	Cerber5.exe
File opened (read-only)	\??\i:	Cerber5.exe
File opened (read-only)	\??\j:	Cerber5.exe
File opened (read-only)	\??\m:	Cerber5.exe
File opened (read-only)	\??\x:	Cerber5.exe
File opened (read-only)	\??\t:	Cerber5.exe
File opened (read-only)	\??\h:	Cerber5.exe
File opened (read-only)	\??\o:	Cerber5.exe
File opened (read-only)	\??\p:	Cerber5.exe
File opened (read-only)	\??\s:	Cerber5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
85	raw.githubusercontent.com
86	raw.githubusercontent.com
84	raw.githubusercontent.com

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	Cerber5.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp845E.bmp"	Cerber5.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\bitcoin	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\steam	Cerber5.exe
File opened for modification	\??\c:\program files\	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\excel	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\onenote	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\outlook	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\the bat!	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\word	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\office	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\	Cerber5.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	Cerber5.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5364_1791486240\manifest.fingerprint	msedge.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	Cerber5.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5364_1791486240\sets.json	msedge.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	Cerber5.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5364_1793473119\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5364_1041392460\manifest.fingerprint	msedge.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	Cerber5.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5364_1041392460\manifest.json	msedge.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	Cerber5.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5364_1791486240\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5364_1791486240\manifest.json	msedge.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	Cerber5.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5364_1791486240\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5364_1041392460\typosquatting_list.pb	msedge.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	Cerber5.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5364_1793473119\data.txt	msedge.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word	Cerber5.exe
File opened for modification	\??\c:\windows\	Cerber5.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Cerber5.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cerber5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cerber5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3288	cmd.exe
6060	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
6140	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133869868377881267"	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920535620-1286624088-2946613906-1000\{6E4606E2-C16F-48BC-877B-E9C1006BB899}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	Cerber5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Cerber5.exe:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
404	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6060	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
6052	msedge.exe
6052	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1052	Cerber5.exe
Token: SeCreatePagefilePrivilege	1052	Cerber5.exe
Token: SeDebugPrivilege	6140	taskkill.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5364 wrote to memory of 5376	5364	msedge.exe	78
PID 5364 wrote to memory of 5376	5364	msedge.exe	78
PID 5364 wrote to memory of 5172	5364	msedge.exe	79
PID 5364 wrote to memory of 5172	5364	msedge.exe	79
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 1820	5364	msedge.exe	80
PID 5364 wrote to memory of 5916	5364	msedge.exe	81
PID 5364 wrote to memory of 5916	5364	msedge.exe	81
PID 5364 wrote to memory of 5916	5364	msedge.exe	81
PID 5364 wrote to memory of 5916	5364	msedge.exe	81
PID 5364 wrote to memory of 5916	5364	msedge.exe	81
PID 5364 wrote to memory of 5916	5364	msedge.exe	81
PID 5364 wrote to memory of 5916	5364	msedge.exe	81
PID 5364 wrote to memory of 5916	5364	msedge.exe	81
PID 5364 wrote to memory of 5916	5364	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x264,0x7ffdb138f208,0x7ffdb138f214,0x7ffdb138f220
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1860,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=2264 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2212,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2496,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=2492 /prefetch:13
  2⤵
  PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3460,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3456,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5056,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=5068 /prefetch:14
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5136,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=5248 /prefetch:14
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5156,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=3448 /prefetch:14
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5552,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=5488 /prefetch:14
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5932,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=5944 /prefetch:14
  2⤵
  PID:2044
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1140
    3⤵
    PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6000,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:14
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6000,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:14
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4240,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=5540 /prefetch:14
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6504,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=6396 /prefetch:14
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6356,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=6464 /prefetch:14
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5540,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=568 /prefetch:14
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=6372,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6316,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=6668 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6780,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=6836 /prefetch:14
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4920,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=6764 /prefetch:14
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2028,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=5408 /prefetch:14
  2⤵
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6240,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=5668 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=764,i,17380671728482892747,4048897109247630923,262144 --variations-seed-version --mojo-platform-channel-handle=6996 /prefetch:14
  2⤵
  PID:5224

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1104

C:\Users\Admin\Downloads\Cerber5.exe
"C:\Users\Admin\Downloads\Cerber5.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1052
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4640
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2008
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___73E4_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5932
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___9COE6R_.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "C" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "C"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6140
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:6060

C:\Users\Admin\Downloads\Cerber5.exe
"C:\Users\Admin\Downloads\Cerber5.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
509e630f2aea0919b6158790ecedff06

SHA1
ba9a6adff6f624a938f6ac99ece90fdeadcb47e7

SHA256
067308f8a68703d3069336cb4231478addc400f1b5cbb95a5948e87d9dc4f78b

SHA512
1cb2680d3b8ddef287547c26f32be407feae3346a8664288de38fe6157fb4aeceb72f780fd21522417298e1639b721b96846d381da34a5eb1f3695e8e6ef7264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8d70cc0d-2ca7-44c2-a4ca-b225f5e4cbed.tmp

Filesize
37KB

MD5
bb1f48d2c7c174933ad8a28bdab50d42

SHA1
fd3f632bfc717a68d175a27b61daf921155141d3

SHA256
22cd3db6a24b5654ea62b5842c84eb39f9345fef066f31e5e28404ca10af014b

SHA512
2cf6d5b4bacfcd13a02c41834d1054b49a28585bfc2b5c8218a7a061a7a0c735c175538b0278a7adbc3d5250bb7a2977c7e8439269d7ab48650c44badfbd6ebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
24996f8a8d7fb188f6636141f440ad20

SHA1
8951a6ebc9065746f6c0fba640cd7ad872c7aef7

SHA256
5f5352bc5f97ab480cf853018edb54aaf88e7c723db3c4481e0a21492912af46

SHA512
f0bc9346b2ca22e852952597e342afca567e966e1d2cb992079d5856d12a0f7ee072a87321c38d1a4733503557bd8084df0779617c296f968a0f8aa2a47e23c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
cbcbbade31c5f8a1b6bcab5068efb75e

SHA1
4d1db5a8f9d85e82ef7ca1bbbbed0d3fb23c5ef4

SHA256
678a64526577507ef70a238eeb854fd9a04fa3f20d93a041c5e4f2d79bd1b750

SHA512
88eef85643c7db0c56b65f6d414b023ec17ea4ba61b32689e5ccc2fc7818fedef83b89b346cb8494ba88b470e6c4ad7f6fc36d8f5a683cba3981f545d76086d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
fa50a22242b27a0402ac89f0af9c1e01

SHA1
3ebdec7f89bc1f5e2ea69564bd7115d089239a18

SHA256
c6372ce0a7fcea8beec9ec0052b36dcd6792f515e4b7eca61f522809233ceb8f

SHA512
903651f4b093cc2f7e0eba1b3c1a3f019ff30f17a5bda10db66a944ce44ba052671c56b0a1e3bec7f5fd252fdf3ce5c1fb9994c377740342a3c3374ec2c6f402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\c22b514c-e1b9-4095-a065-cd9b98a5d27b.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
412KB

MD5
b95232d737ded562f9ec4c08b44f7f10

SHA1
e1181eca6e990c6898a3e07c97e1a0898c26f9be

SHA256
12ea752ba8197dce5782de89ccefc7de5ce25a4d7c728aa7b89c64ddf6a52c3c

SHA512
23c5dc331e35940a3f57ba8754aec258efe8214d01722ebab300e82c008527af1635fde7393576a0933108eae1d900a7d6a9a5e7184e1ae02beaf9535f82028a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
411KB

MD5
e283184b4ccc8159562f2d445898758b

SHA1
4b978add15fc7ce7242cffb8025c336b92644779

SHA256
437793ee1ec66dbcc1bb379e6feafd79258467e2932bd8aa59fae21e30fd2a05

SHA512
c746dff67df2a18260f36f164484993fa43b012958c4a2f52a81d97733f8f32e02c09b9f31d4fa027bcb272c739aa23a6a478c7c87ccdeda128ec3c086073531

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
412KB

MD5
af8e844adb621af3c31aa1ff225dceb8

SHA1
08d499fea3635daa276f24bfd661baaffd09e8fc

SHA256
05414697a935cb987a49f3a59eae7353d91ecd2dd113b53026a9a8b3b27263fe

SHA512
94d9b6db11648ef1925e66fec0b051970232cb9962a750157a363f439a983cd7c3c61b6a8608ebf03d2d0d56fe83fdd898734ba4d410dd133f782caae6c97e0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
d4d7d5e149dce9e89da064a792fb2662

SHA1
1dfab193315fdbb1b7f96bf72fd12949c72940f4

SHA256
2cddb0ec9a1b3a350420f25cff6090ae755d63398c94d7be27e718bdfac89616

SHA512
05868ed38a4a41051e07c9c08753e750f0e0723082adc71f75f1c8d65834cf3bbc4ebf1fc2c326c2f27e3918f5896af5b158b08c6ec2f53f09685337629b54ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\6e425417-3848-42bf-89ee-5c92e885fe37.tmp

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
bf526fb6c9474aa4b48d47a09f98fa92

SHA1
ecfbadfe4465f9272b1eebea67f193264a1d43e6

SHA256
9536b006163d2f7d439e1ad7e52cc8ad28d7e18acb6f4fee0336d7ab8e62e769

SHA512
f7b22e78865da19a6535591ceaa4123b2ba2372e2606c3512c28e6fcaef73814f994ace639ed8945c3b01e46838c265426f62ecddd84fb019be268e5d379a05a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
22KB

MD5
ee769d07bdf2faa146039f1b8ec93d77

SHA1
570bcca9926f511c3db8b1b3e133d6775f4716f6

SHA256
f6155f39a4d739c18120f006912fd90dc7affb4f93a55d619d5a044d585759cd

SHA512
56254c1749d21ee6971d0c758c413e1bc6a5c8a3e73596938db64ecb639b435d48dcdcd665c8aadbd426d68860c3fe3d8154b351bf3a97ef377970149dfcd477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
f3d25561388bd77d7ff40104f517c04c

SHA1
f375ca02910fcc6d7e3fb58ea43dd29fab3409ab

SHA256
a64c38bb37bda9fae1aa3aa311b9d7c7744fafef286e5da7ce1bf4e1fad40796

SHA512
50d8bc0c19522b163a6e3f7be7ccb3d2ebeddae6aab8b5edd308e01bcd40b1ccbfdc96af7193392a4ca7ca8c51ce8b83475d314a20650a153e217462136186c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
fda5a53bdeb1d52e86486875615e6600

SHA1
21a4c7ddd14f802d6e990234b595a93e3d32b94e

SHA256
8e1e0baac5235a2fbb1a68f6c656e7d3ab9acfa0c6ea4a9724969fc2feca4134

SHA512
9d340d56e2a65485d43ddd5a046f1f53eb357e71e819275217b47a921fd97724695cfedb7dcfbc3309370a3521b7aefe495ecb9a54e2a3ea792c08427954717d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
bed9696c6fa6713cf5bafe04d99afffa

SHA1
be8e520956102951523cf37b1f332cf0312a953c

SHA256
744b5ce0a7acd3c7bf3dfaa30b0e3eb97e54e8de6a16de0b204993db8b8ce297

SHA512
9c1a05cef849329db3f58e2feed8158639fe01d5ee1f1f87e6c23145029cc1f3e0f8a2600cbd68787d03207b19f57a0cd4c8cfcab9529b631040d317ba4fd964

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
ea54c377edf93e26207550e56713ea4e

SHA1
1f8a5b3493c71a5101d865835e2887af4e1c9b88

SHA256
8a9ad16817328299a37afdd0a3933b400503fb35cf45008bf11559b67d9ebfac

SHA512
931194050b4e6b308055995df8a3c184183bfdd671e16fd35889aa64e4cb942672d54d0b78483643a3d14e4cd144e2efef5473f040b76c0e16a5c9d4f6a11628

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
438318d4dc08d01ec766ba0d9988263b

SHA1
25d0918ada63b24702afd155b8c6809476c56b3c

SHA256
3d1c8f4546926c25f08214279a5cf9c90f28353a159c722f7ab805d46804f697

SHA512
faedd34105be6741bce2aedd401b0a50baf151b0043cbbcd41ef17c2b4b1bcffc7db5ca46fd5412ca2e519d7516a866ada4158f376d4d5001298c11e808f2fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
8ffedfa79fba2a55904377531e0fbbfa

SHA1
7d1844c99fbc8bfd1492acb80ab400263f05cd8c

SHA256
62f96e6eb751eb084a6e7137ad57ddcb4bc9b031b95219ad86d837f783ba0e4d

SHA512
6a56f34464f9f1fa260cae2341cad7bb0e65b739616766ae6d4e3978a0882ba5eb731dca430535fffd15fe9a51e4403988baef0656b24e49ddd3c02c2947ca71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
98db9089de19a02cc6b9679e6ae2b7a8

SHA1
c7b3f102398be2966a0bcf872bfe81901a11bb63

SHA256
bee8a6ff0feec596ac73a689051d38e402cb0ad097b60a834096c25af83fed38

SHA512
f58ad5a6d612dc63cf59e4a5d3ddbfec6179324f474c80e705bbd84a4abd75c407ab128d4b62d3edbe8656bc881886a3901213753d8c7f02f19d822952b53a9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe580c4f.TMP

Filesize
392B

MD5
a72a10c76d49047823df2a481659205d

SHA1
cef15a7925aea9b52a6f05cc943da15a27f80980

SHA256
096392af46f31c20c48c1348b511364895e37a013242c6946699c8702094f02f

SHA512
39f48a4a59aed8b59770f69ba35296833defbf8791b2a073c4a6f77208eff4800a8c54f5866888d08ccc7b70d7ed7a6ef8a7bc383aa28a9c14329d26e5cb0d75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.20.1\typosquatting_list.pb

Filesize
638KB

MD5
da8609745ded15c07f9b3b42a794f1bf

SHA1
6f51794da7f06ce1e79ea3e42a22f67d068525bc

SHA256
7dd01720dc53471b5cfb185a9b1e39be94a095c53e5dc8a295818e425ca265c6

SHA512
a04bd2845bd6df19cd59eb6d62be863ceffca5841f8c878c289364418a89e4b0f1efa4224f3fb0d10a010ce73a23a60e81e6d7437ec27da3541f085e22ac938b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\_R_E_A_D___T_H_I_S___KRPN2C8E_.txt

Filesize
1KB

MD5
5620bf92898a37ddfc633056c560d332

SHA1
c4ddfc04691804948a5d95fd396e7538a051cf08

SHA256
43c6d2e5d67979285c921cb86fcde957df43b1ad2e100779a0cfac19b1051aa9

SHA512
15e6fb17d980635bffa63f5e62da97f3df16518bfc278293f381a90d808f85dc6e49301dc6af0eca7dd5254011b0d1d1ef6a1cd7bbc09e390a287084761c76c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\_R_E_A_D___T_H_I_S___PWANAMD_.hta

Filesize
75KB

MD5
8edd28f6fa9cfbf124a617f392ef82c8

SHA1
2fb6fca5b52c9e48dd9a8751b90c60dc7591a0f0

SHA256
83fa7b8b5bc7452334d7355c641d565da53cce73498fd0f9a8154d86bd5b3ea9

SHA512
889130200792e6fd8fdadda41e992d6921be868bd5aec272e007c975294607195593274201dd5153d3eb5d056f1556f708c4a74ac9f71bb0dba06f68bfbf97b1

Download Submit
C:\Users\Admin\Downloads\Cerber5.exe

Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
C:\Users\Admin\Downloads\Cerber5.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5364_1041392460\manifest.json

Filesize
118B

MD5
395a738237cb5606743da99d5459bd59

SHA1
53a2e376dbba8020189b4d629d1ce452c43abc42

SHA256
6a15b2c0969575a4ae419e8b0eedc7c5515c8ae3dd73771e431e484689684aac

SHA512
0ac1112218d23328eb3cccf777c9bf7b0c31b71387fc620d0f91fec73994661021524ae66d8b81f26d1d7f4df8ac60c12f7852c72c65030d0c106a0ba773a8bb

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5364_1791486240\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5364_1791486240\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
memory/1052-977-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-967-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-1035-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-596-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-589-0x0000000000440000-0x000000000044E000-memory.dmp

Filesize
56KB

Download