Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
104s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
20/03/2025, 04:02 UTC
General
-
Target
c0dfc434fb3b71fad599144d5d5ca3ca1897b8101b4be3daaf611a047893f06d.exe
-
Size
645KB
-
MD5
c81bf51e6e148ffcd51c0d0b538d6a19
-
SHA1
5aa0dfa5141306e7bfecbd0ae781f8bb284b53e4
-
SHA256
c0dfc434fb3b71fad599144d5d5ca3ca1897b8101b4be3daaf611a047893f06d
-
SHA512
b4ec4ccec37d71b61dd5873dbc7e994aa86d2450ba97b7e086ddb7578105f4bf0b05cc01605708b95325c31b1d805b94ba05c5fb73b5a74b49a2e33845241bb2
-
SSDEEP
6144:k9DlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsRyYgv:elYmDXEpDHRXP01yYC
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\_R_E_A_D___T_H_I_S___7LMK_.hta
Family
cerber
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>CERBER RANSOMWARE: Instructions</title>
<HTA:APPLICATION APPLICATIONNAME="ktrR7U" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize">
<style type="text/css">
a {
color: #04a;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #222;
font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif;
font-size: 13pt;
line-height: 19pt;
}
body, h1 {
margin: 0;
padding: 0;
}
hr {
color: #bda;
height: 2pt;
margin: 1.5%;
}
h1 {
color: #555;
font-size: 14pt;
}
ol {
padding-left: 2.5%;
}
ol li {
padding-bottom: 13pt;
}
small {
color: #555;
font-size: 11pt;
}
ul {
list-style-type: none;
margin: 0;
padding: 0;
}
.button {
color: #04a;
cursor: pointer;
}
.button:hover {
text-decoration: underline;
}
.container {
background-color: #fff;
border: 2pt solid #c7c7c7;
margin: 5%;
min-width: 850px;
padding: 2.5%;
}
.header {
border-bottom: 2pt solid #c7c7c7;
margin-bottom: 2.5%;
padding-bottom: 2.5%;
}
.h {
display: none;
}
.hr {
background: #bda;
display: block;
height: 2pt;
margin-top: 1.5%;
margin-bottom: 1.5%;
overflow: hidden;
width: 100%;
}
.info {
background-color: #efe;
border: 2pt solid #bda;
display: inline-block;
padding: 1.5%;
text-align: center;
}
.updating {
color: red;
display: none;
padding-left: 35px;
background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat;
}
#change_language {
float: right;
}
#change_language, #texts div {
display: none;
}
</style>
</head>
<body>
<div class="container">
<div class="header">
<a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a>
<h1>CERBER RANSOMWARE</h1>
<small id="title">Instructions</small>
</div>
<div id="languages">
<p>☑ Select your language</p>
<ul>
<li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li>
<li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li>
<li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li>
<li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li>
<li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li>
<li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li>
<li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li>
<li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li>
<li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li>
<li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li>
<li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li>
<li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li>
<li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li>
</ul>
</div>
<div id="texts">
<div id="en">
<p>Can't yo<span class="h">awUT</span>u find the necessary files?<br>Is the c<span class="h">X</span>ontent of your files not readable?</p>
<p>It is normal be<span class="h">4oX6Qjpcp</span>cause the files' names and the data in your files have been encryp<span class="h">AT6yBinoZp</span>ted by "Ce<span class="h">fwTo</span>rber Ransomware".</p>
<p>It me<span class="h">QCKkFBVH</span>ans your files are NOT damage<span class="h">AeCec</span>d! Your files are modified only. This modification is reversible.<br>F<span class="h">qb9v</span>rom now it is not poss<span class="h">CcLBnQoCNH</span>ible to use your files until they will be decrypted.</p>
<p>The only way to dec<span class="h">8aBYJK0</span>rypt your files safely is to buy the special decryption software "C<span class="h">efkC</span>erber Decryptor".</p>
<p>Any attempts to rest<span class="h">SVI</span>ore your files with the thir<span class="h">w</span>d-party software will be fatal for your files!</p>
<hr>
<p class="w331208">You can proc<span class="h">vdr6QL</span>eed with purchasing of the decryption softw<span class="h">3846nW</span>are at your personal page:</p>
<p><span class="info"><span class="updating">Ple<span class="h">1</span>ase wait...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/DDB8-341D-44B1-0446-9D8D" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/DDB8-341D-44B1-0446-9D8D</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/DDB8-341D-44B1-0446-9D8D" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/DDB8-341D-44B1-0446-9D8D</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/DDB8-341D-44B1-0446-9D8D" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/DDB8-341D-44B1-0446-9D8D</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/DDB8-341D-44B1-0446-9D8D" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/DDB8-341D-44B1-0446-9D8D</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/DDB8-341D-44B1-0446-9D8D" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/DDB8-341D-44B1-0446-9D8D</a></span></p>
<p>If t<span class="h">L3</span>his page cannot be opened <span class="button" onclick="return _url_upd_('en');">cli<span class="h">z3r</span>ck here</span> to get a new addr<span class="h">ajB</span>ess of your personal page.<br><br>If the addre<span class="h">P9wdaxah</span>ss of your personal page is the same as befo<span class="h">c87Y34A9r</span>re after you tried to get a new one,<br>you c<span class="h">9DUdWiUQ</span>an try to get a new address in one hour.</p>
<p>At th<span class="h">7ua02</span>is page you will receive the complete instr<span class="h">a</span>uctions how to buy the decrypti<span class="h">tarv</span>on software for restoring all your files.</p>
<p>Also at this page you will be able to res<span class="h">mz</span>tore any one file for free to be sure "Cerbe<span class="h">MTeRc</span>r Decryptor" will help you.</p>
<hr>
<p>If your per<span class="h">H</span>sonal page is not availa<span class="h">GarHYEBtX</span>ble for a long period there is another way to open your personal page - insta<span class="h">ZYkyyL5eYd</span>llation and use of Tor Browser:</p>
<ol>
<li>run your Inte<span class="h">cyy</span>rnet browser (if you do not know what it is run the Internet Explorer);</li>
<li>ent<span class="h">GIZkWv6O9</span>er or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li>
<li>wait for the site load<span class="h">X</span>ing;</li>
<li>on the site you will be offered to do<span class="h">mLQ0ilsa2R</span>wnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li>
<li>ru<span class="h">TX8TxF</span>n Tor Browser;</li>
<li>connect with the butt<span class="h">9X1YpR</span>on "Connect" (if you use the English version);</li>
<li>a normal Internet bro<span class="h">3</span>wser window will be opened after the initialization;</li>
<li>type or copy the add<span class="h">r3PlKQ</span>ress <br><span class="info">http://p27dokhpz2n7nvgr.onion/DDB8-341D-44B1-0446-9D8D</span><br> in this browser address bar;</li>
<li>pre<span class="h">1Diou02</span>ss ENTER;</li>
<li>the site sho<span class="h">sUrxlZnT</span>uld be loaded; if for some reason the site is not lo<span class="h">gy6</span>ading wait for a moment and try again.</li>
</ol>
<p>If you have any pr<span class="h">40OaG</span>oblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searc<span class="h">J</span>h bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use.</p>
<hr>
<p><strong>Addit<span class="h">y</span>ional information:</strong></p>
<p>You will fi<span class="h">FIobi</span>nd the instru<span class="h">eetASC</span>ctions ("*_READ_THIS_FILE_*.hta") for re<span class="h">Zmgg</span>storing your files in any f<span class="h">I0w</span>older with your enc<span class="h">ake</span>rypted files.</p>
<p>The instr<span class="h">UOUm5cK7b</span>uctions "*_READ_THIS_FILE_*.hta" in the f<span class="h">efj9fh7</span>older<span class="h">5FQ97</span>s with your encry<span class="h">FbyIBf6cN9</span>pted files are not vir<span class="h">S3DOEd8uq</span>uses! The instruc<span class="h">Q7q3K5Q3EM</span>tions "*_READ_THIS_FILE_*.hta" will he<span class="h">88iN</span>lp you to dec<span class="h">n</span>rypt your files.</p>
<p>Remembe<span class="h">k</span>r! The worst si<span class="h">VjioPHRRGR</span>tuation already happ<span class="h">Zx3Pha</span>ened and now the future of your files de<span class="h">P</span>pends on your determ<span class="h">xpcsaJ</span>ination and speed of your actions.</p>
</div>
<div id="ar" style="direction: rtl;">
<p>لا يمكنك العثور على الملفات الضرورية؟<br>هل محتوى الملفات غير قابل للقراءة؟</p>
<p>هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware".</p>
<p>وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا.<br>ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها.</p>
<p>الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor".</p>
<p>إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك!</p>
<hr>
<p>يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية:</p>
<p><span class="info"><span class="updating">أرجو الإنتظار...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/DDB8-341D-44B1-0446-9D8D" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/DDB8-341D-44B1-0446-9D8D</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/DDB8-341D-44B1-0446-9D8D" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/DDB8-341D-44B1-0446-9D8D</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/DDB8-341D-44B1-0446-9D8D" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/DDB8-341D-44B1-0446-9D8D</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/DDB8-341D-44B1-0446-9D8D" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/DDB8-341D-44B1-0446-9D8D</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/DDB8-341D-44B1-0446-9D8D" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/DDB8-341D-44B1-0446-9D8D</a></span></p>
<p>في حالة تعذر فتح هذه الصفحة <span class="button" onclick="return _url_upd_('ar');">انقر هنا</span> لإنشاء عنوان جديد لصفحتك الشخصية.</p>
<p>في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك.</p>
<p>في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك.</p>
<hr>
<p>إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor:</p>
<ol>
<li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li>
<li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li>
<li>انتظر لتحميل الموقع;</li>
<li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li>
<li>قم بتشغيل متصفح Tor;</li>
<li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li>
<li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li>
<li>قم بكتابة أو نسخ العنوان <br><span class="info">http://p27dokhpz2n7nvgr.onion/DDB8-341D-44B1-0446-9D8D</span><br> في شريط العنوان في المتصفح;</li>
<li>اضغط ENTER;</li>
<li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li>
</ol>
<p>إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه.</p>
<hr>
<p><strong>معلومات إض<span class="h">PZ2vKV</span>افية:</strong></p>
<p>س<span class="h">NnFir</span>وف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة.</p>
<p>الإرش<span class="h">ArtSC</span>ادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك.</p>
<p>تذكر أن أسوأ مو<span class="h">egOikl</span>قف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك.</p>
</div>
<div id="zh">
<p>您找不到所需的文件?<br>您文件的内容无法阅读?</p>
<p>这是正常的,因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。</p>
<p>这意味着您的文件并没有损坏!您的文件只是被修改了,这个修改是可逆
Extracted
Path
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\_R_E_A_D___T_H_I_S___63J9Z_.txt
Family
cerber
Ransom Note
CERBER RANSOMWARE
-----
YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!
-----
The only way to decrypt y0ur files is to receive the private key and decryption program.
To receive the private key and decryption program go to any decrypted folder,
inside there is the special file (*_READ_THIS_FILE_*) with complete instructions
how to decrypt your files.
If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below:
-----
1. Download "Tor Browser" from https://www.torproject.org/ and install it.
2. In the "Tor Browser" open your personal page here:
http://p27dokhpz2n7nvgr.onion/DDB8-341D-44B1-0446-9D8D
Note! This page is available via "Tor Browser" only.
-----
Also you can use temporary addresses on your personal page without using "Tor Browser".
-----
1. http://p27dokhpz2n7nvgr.12hygy.top/DDB8-341D-44B1-0446-9D8D
2. http://p27dokhpz2n7nvgr.14ewqv.top/DDB8-341D-44B1-0446-9D8D
3. http://p27dokhpz2n7nvgr.14vvrc.top/DDB8-341D-44B1-0446-9D8D
4. http://p27dokhpz2n7nvgr.129p1t.top/DDB8-341D-44B1-0446-9D8D
5. http://p27dokhpz2n7nvgr.1apgrn.top/DDB8-341D-44B1-0446-9D8D
-----
Note! These are temporary addresses! They will be available for a limited amount of time!
-----
URLs
http://p27dokhpz2n7nvgr.onion/DDB8-341D-44B1-0446-9D8D
http://p27dokhpz2n7nvgr.12hygy.top/DDB8-341D-44B1-0446-9D8D
http://p27dokhpz2n7nvgr.14ewqv.top/DDB8-341D-44B1-0446-9D8D
http://p27dokhpz2n7nvgr.14vvrc.top/DDB8-341D-44B1-0446-9D8D
http://p27dokhpz2n7nvgr.129p1t.top/DDB8-341D-44B1-0446-9D8D
http://p27dokhpz2n7nvgr.1apgrn.top/DDB8-341D-44B1-0446-9D8D
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Cerber family
-
Detect Neshta payload 4 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Contacts a large (1100) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 38 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Kills process with taskkill 1 IoCs
-
Modifies registry class 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0dfc434fb3b71fad599144d5d5ca3ca1897b8101b4be3daaf611a047893f06d.exe"C:\Users\Admin\AppData\Local\Temp\c0dfc434fb3b71fad599144d5d5ca3ca1897b8101b4be3daaf611a047893f06d.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\c0dfc434fb3b71fad599144d5d5ca3ca1897b8101b4be3daaf611a047893f06d.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\c0dfc434fb3b71fad599144d5d5ca3ca1897b8101b4be3daaf611a047893f06d.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___PKLDN_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___XUF80PXE_.txt3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "c0dfc434fb3b71fad599144d5d5ca3ca1897b8101b4be3daaf611a047893f06d.exe"4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
Network
-
DNSc.pki.googRequestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.180.3
-
GEThttp://c.pki.goog/r/r1.crlRequestGET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog
ResponseHTTP/1.1 304 Not Modified
Date: Thu, 20 Mar 2025 03:24:20 GMT
Expires: Thu, 20 Mar 2025 04:14:20 GMT
Age: 2325
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Cache-Control: public, max-age=3000
Vary: Accept-Encoding
No results found
-
178.33.158.0:6893 -
178.33.158.1:6893
-
178.33.158.2:6893
-
178.33.158.3:6893
-
178.33.158.4:6893
-
178.33.158.5:6893
-
178.33.158.6:6893
-
178.33.158.7:6893
-
178.33.158.8:6893
-
178.33.158.9:6893
-
178.33.158.10:6893
-
178.33.158.11:6893
-
178.33.158.12:6893
-
178.33.158.13:6893
-
178.33.158.14:6893
-
178.33.158.15:6893
-
178.33.158.16:6893
-
178.33.158.17:6893
-
178.33.158.18:6893
-
178.33.158.19:6893
-
178.33.158.20:6893
-
178.33.158.21:6893
-
178.33.158.22:6893
-
178.33.158.23:6893
-
178.33.158.24:6893
-
178.33.158.25:6893
-
178.33.158.26:6893
-
178.33.158.27:6893
-
178.33.158.28:6893
-
178.33.158.29:6893
-
178.33.158.30:6893
-
178.33.158.31:6893
-
178.33.159.0:6893
-
178.33.159.1:6893
-
178.33.159.2:6893
-
178.33.159.3:6893
-
178.33.159.4:6893
-
178.33.159.5:6893
-
178.33.159.6:6893
-
178.33.159.7:6893
-
178.33.159.8:6893
-
178.33.159.9:6893
-
178.33.159.10:6893
-
178.33.159.11:6893
-
178.33.159.12:6893
-
178.33.159.13:6893
-
178.33.159.14:6893
-
178.33.159.15:6893
-
178.33.159.16:6893
-
178.33.159.17:6893
-
178.33.159.18:6893
-
178.33.159.19:6893
-
178.33.159.20:6893
-
178.33.159.21:6893
-
178.33.159.22:6893
-
178.33.159.23:6893
-
178.33.159.24:6893
-
178.33.159.25:6893
-
178.33.159.26:6893
-
178.33.159.27:6893
-
178.33.159.28:6893
-
178.33.159.29:6893
-
178.33.159.30:6893
-
178.33.159.31:6893
-
178.33.160.0:6893
-
178.33.160.1:6893
-
178.33.160.2:6893
-
178.33.160.3:6893
-
178.33.160.4:6893
-
178.33.160.5:6893
-
178.33.160.6:6893
-
178.33.160.7:6893
-
178.33.160.8:6893
-
178.33.160.9:6893
-
178.33.160.10:6893
-
178.33.160.11:6893
-
178.33.160.12:6893
-
178.33.160.13:6893
-
178.33.160.14:6893
-
178.33.160.15:6893
-
178.33.160.16:6893
-
178.33.160.17:6893
-
178.33.160.18:6893
-
178.33.160.19:6893
-
178.33.160.20:6893
-
178.33.160.21:6893
-
178.33.160.22:6893
-
178.33.160.23:6893
-
178.33.160.24:6893
-
178.33.160.25:6893
-
178.33.160.26:6893
-
178.33.160.27:6893
-
178.33.160.28:6893
-
178.33.160.29:6893
-
178.33.160.30:6893
-
178.33.160.31:6893
-
178.33.160.32:6893
-
178.33.160.33:6893
-
178.33.160.34:6893
-
178.33.160.35:6893
-
178.33.160.36:6893
-
178.33.160.37:6893
-
178.33.160.38:6893
-
178.33.160.39:6893
-
178.33.160.40:6893
-
178.33.160.41:6893
-
178.33.160.42:6893
-
178.33.160.43:6893
-
178.33.160.44:6893
-
178.33.160.45:6893
-
178.33.160.46:6893
-
178.33.160.47:6893
-
178.33.160.48:6893
-
178.33.160.49:6893
-
178.33.160.50:6893
-
178.33.160.51:6893
-
178.33.160.52:6893
-
178.33.160.53:6893
-
178.33.160.54:6893
-
178.33.160.55:6893
-
178.33.160.56:6893
-
178.33.160.57:6893
-
178.33.160.58:6893
-
178.33.160.59:6893
-
178.33.160.60:6893
-
178.33.160.61:6893
-
178.33.160.62:6893
-
178.33.160.63:6893
-
178.33.160.64:6893
-
178.33.160.65:6893
-
178.33.160.66:6893
-
178.33.160.67:6893
-
178.33.160.68:6893
-
178.33.160.69:6893
-
178.33.160.70:6893
-
178.33.160.71:6893
-
178.33.160.72:6893
-
178.33.160.73:6893
-
178.33.160.74:6893
-
178.33.160.75:6893
-
178.33.160.76:6893
-
178.33.160.77:6893
-
178.33.160.78:6893
-
178.33.160.79:6893
-
178.33.160.80:6893
-
178.33.160.81:6893
-
178.33.160.82:6893
-
178.33.160.83:6893
-
178.33.160.84:6893
-
178.33.160.85:6893
-
178.33.160.86:6893
-
178.33.160.87:6893
-
178.33.160.88:6893
-
178.33.160.89:6893
-
178.33.160.90:6893
-
178.33.160.91:6893
-
178.33.160.92:6893
-
178.33.160.93:6893
-
178.33.160.94:6893
-
178.33.160.95:6893
-
178.33.160.96:6893
-
178.33.160.97:6893
-
178.33.160.98:6893
-
178.33.160.99:6893
-
178.33.160.100:6893
-
178.33.160.101:6893
-
178.33.160.102:6893
-
178.33.160.103:6893
-
178.33.160.104:6893
-
178.33.160.105:6893
-
178.33.160.106:6893
-
178.33.160.107:6893
-
178.33.160.108:6893
-
178.33.160.109:6893
-
178.33.160.110:6893
-
178.33.160.111:6893
-
178.33.160.112:6893
-
178.33.160.113:6893
-
178.33.160.114:6893
-
178.33.160.115:6893
-
178.33.160.116:6893
-
178.33.160.117:6893
-
178.33.160.118:6893
-
178.33.160.119:6893
-
178.33.160.120:6893
-
178.33.160.121:6893
-
178.33.160.122:6893
-
178.33.160.123:6893
-
178.33.160.124:6893
-
178.33.160.125:6893
-
178.33.160.126:6893
-
178.33.160.127:6893
-
178.33.160.128:6893
-
178.33.160.129:6893
-
178.33.160.130:6893
-
178.33.160.131:6893
-
178.33.160.132:6893
-
178.33.160.133:6893
-
178.33.160.134:6893
-
178.33.160.135:6893
-
178.33.160.136:6893
-
178.33.160.137:6893
-
178.33.160.138:6893
-
178.33.160.139:6893
-
178.33.160.140:6893
-
178.33.160.141:6893
-
178.33.160.142:6893
-
178.33.160.143:6893
-
178.33.160.144:6893
-
178.33.160.145:6893
-
178.33.160.146:6893
-
178.33.160.147:6893
-
178.33.160.148:6893
-
178.33.160.149:6893
-
178.33.160.150:6893
-
178.33.160.151:6893
-
178.33.160.152:6893
-
178.33.160.153:6893
-
178.33.160.154:6893
-
178.33.160.155:6893
-
178.33.160.156:6893
-
178.33.160.157:6893
-
178.33.160.158:6893
-
178.33.160.159:6893
-
178.33.160.160:6893
-
178.33.160.161:6893
-
178.33.160.162:6893
-
178.33.160.163:6893
-
178.33.160.164:6893
-
178.33.160.165:6893
-
178.33.160.166:6893
-
178.33.160.167:6893
-
178.33.160.168:6893
-
178.33.160.169:6893
-
178.33.160.170:6893
-
178.33.160.171:6893
-
178.33.160.172:6893
-
178.33.160.173:6893
-
178.33.160.174:6893
-
178.33.160.175:6893
-
178.33.160.176:6893
-
178.33.160.177:6893
-
178.33.160.178:6893
-
178.33.160.179:6893
-
178.33.160.180:6893
-
178.33.160.181:6893
-
178.33.160.182:6893
-
178.33.160.183:6893
-
178.33.160.184:6893
-
178.33.160.185:6893
-
178.33.160.186:6893
-
178.33.160.187:6893
-
178.33.160.188:6893
-
178.33.160.189:6893
-
178.33.160.190:6893
-
178.33.160.191:6893
-
178.33.160.192:6893
-
178.33.160.193:6893
-
178.33.160.194:6893
-
178.33.160.195:6893
-
178.33.160.196:6893
-
178.33.160.197:6893
-
178.33.160.198:6893
-
178.33.160.199:6893
-
178.33.160.200:6893
-
178.33.160.201:6893
-
178.33.160.202:6893
-
178.33.160.203:6893
-
178.33.160.204:6893
-
178.33.160.205:6893
-
178.33.160.206:6893
-
178.33.160.207:6893
-
178.33.160.208:6893
-
178.33.160.209:6893
-
178.33.160.210:6893
-
178.33.160.211:6893
-
178.33.160.212:6893
-
178.33.160.213:6893
-
178.33.160.214:6893
-
178.33.160.215:6893
-
178.33.160.216:6893
-
178.33.160.217:6893
-
178.33.160.218:6893
-
178.33.160.219:6893
-
178.33.160.220:6893
-
178.33.160.221:6893
-
178.33.160.222:6893
-
178.33.160.223:6893
-
178.33.160.224:6893
-
178.33.160.225:6893
-
178.33.160.226:6893
-
178.33.160.227:6893
-
178.33.160.228:6893
-
178.33.160.229:6893
-
178.33.160.230:6893
-
178.33.160.231:6893
-
178.33.160.232:6893
-
178.33.160.233:6893
-
178.33.160.234:6893
-
178.33.160.235:6893
-
178.33.160.236:6893
-
178.33.160.237:6893
-
178.33.160.238:6893
-
178.33.160.239:6893
-
178.33.160.240:6893
-
178.33.160.241:6893
-
178.33.160.242:6893
-
178.33.160.243:6893
-
178.33.160.244:6893
-
178.33.160.245:6893
-
178.33.160.246:6893
-
178.33.160.247:6893
-
178.33.160.248:6893
-
178.33.160.249:6893
-
178.33.160.250:6893
-
178.33.160.251:6893
-
178.33.160.252:6893
-
178.33.160.253:6893
-
178.33.160.254:6893
-
178.33.160.255:6893
-
178.33.161.0:6893
-
178.33.161.1:6893
-
178.33.161.2:6893
-
178.33.161.3:6893
-
178.33.161.4:6893
-
178.33.161.5:6893
-
178.33.161.6:6893
-
178.33.161.7:6893
-
178.33.161.8:6893
-
178.33.161.9:6893
-
178.33.161.10:6893
-
178.33.161.11:6893
-
178.33.161.12:6893
-
178.33.161.13:6893
-
178.33.161.14:6893
-
178.33.161.15:6893
-
178.33.161.16:6893
-
178.33.161.17:6893
-
178.33.161.18:6893
-
178.33.161.19:6893
-
178.33.161.20:6893
-
178.33.161.21:6893
-
178.33.161.22:6893
-
178.33.161.23:6893
-
178.33.161.24:6893
-
178.33.161.25:6893
-
178.33.161.26:6893
-
178.33.161.27:6893
-
178.33.161.28:6893
-
178.33.161.29:6893
-
178.33.161.30:6893
-
178.33.161.31:6893
-
178.33.161.32:6893
-
178.33.161.33:6893
-
178.33.161.34:6893
-
178.33.161.35:6893
-
178.33.161.36:6893
-
178.33.161.37:6893
-
178.33.161.38:6893
-
178.33.161.39:6893
-
178.33.161.40:6893
-
178.33.161.41:6893
-
178.33.161.42:6893
-
178.33.161.43:6893
-
178.33.161.44:6893
-
178.33.161.45:6893
-
178.33.161.46:6893
-
178.33.161.47:6893
-
178.33.161.48:6893
-
178.33.161.49:6893
-
178.33.161.50:6893
-
178.33.161.51:6893
-
178.33.161.52:6893
-
178.33.161.53:6893
-
178.33.161.54:6893
-
178.33.161.55:6893
-
178.33.161.56:6893
-
178.33.161.57:6893
-
178.33.161.58:6893
-
178.33.161.59:6893
-
178.33.161.60:6893
-
178.33.161.61:6893
-
178.33.161.62:6893
-
178.33.161.63:6893
-
178.33.161.64:6893
-
178.33.161.65:6893
-
178.33.161.66:6893
-
178.33.161.67:6893
-
178.33.161.68:6893
-
178.33.161.69:6893
-
178.33.161.70:6893
-
178.33.161.71:6893
-
178.33.161.72:6893
-
178.33.161.73:6893
-
178.33.161.74:6893
-
178.33.161.75:6893
-
178.33.161.76:6893
-
178.33.161.77:6893
-
178.33.161.78:6893
-
178.33.161.79:6893
-
178.33.161.80:6893
-
178.33.161.81:6893
-
178.33.161.82:6893
-
178.33.161.83:6893
-
178.33.161.84:6893
-
178.33.161.85:6893
-
178.33.161.86:6893
-
178.33.161.87:6893
-
178.33.161.88:6893
-
178.33.161.89:6893
-
178.33.161.90:6893
-
178.33.161.91:6893
-
178.33.161.92:6893
-
178.33.161.93:6893
-
178.33.161.94:6893
-
178.33.161.95:6893
-
178.33.161.96:6893
-
178.33.161.97:6893
-
178.33.161.98:6893
-
178.33.161.99:6893
-
178.33.161.100:6893
-
178.33.161.101:6893
-
178.33.161.102:6893
-
178.33.161.103:6893
-
178.33.161.104:6893
-
178.33.161.105:6893
-
178.33.161.106:6893
-
178.33.161.107:6893
-
178.33.161.108:6893
-
178.33.161.109:6893
-
178.33.161.110:6893
-
178.33.161.111:6893
-
178.33.161.112:6893
-
178.33.161.113:6893
-
178.33.161.114:6893
-
178.33.161.115:6893
-
178.33.161.116:6893
-
178.33.161.117:6893
-
178.33.161.118:6893
-
178.33.161.119:6893
-
178.33.161.120:6893
-
178.33.161.121:6893
-
178.33.161.122:6893
-
178.33.161.123:6893
-
178.33.161.124:6893
-
178.33.161.125:6893
-
178.33.161.126:6893
-
178.33.161.127:6893
-
178.33.161.128:6893
-
178.33.161.129:6893
-
178.33.161.130:6893
-
178.33.161.131:6893
-
178.33.161.132:6893
-
178.33.161.133:6893
-
178.33.161.134:6893
-
178.33.161.135:6893
-
178.33.161.136:6893
-
178.33.161.137:6893
-
178.33.161.138:6893
-
178.33.161.139:6893
-
178.33.161.140:6893
-
178.33.161.141:6893
-
178.33.161.142:6893
-
178.33.161.143:6893
-
178.33.161.144:6893
-
178.33.161.145:6893
-
178.33.161.146:6893
-
178.33.161.147:6893
-
178.33.161.148:6893
-
178.33.161.149:6893
-
178.33.161.150:6893
-
178.33.161.151:6893
-
178.33.161.152:6893
-
178.33.161.153:6893
-
178.33.161.154:6893
-
178.33.161.155:6893
-
178.33.161.156:6893
-
178.33.161.157:6893
-
178.33.161.158:6893
-
178.33.161.159:6893
-
178.33.161.160:6893
-
178.33.161.161:6893
-
178.33.161.162:6893
-
178.33.161.163:6893
-
178.33.161.164:6893
-
178.33.161.165:6893
-
178.33.161.166:6893
-
178.33.161.167:6893
-
178.33.161.168:6893
-
178.33.161.169:6893
-
178.33.161.170:6893
-
178.33.161.171:6893
-
178.33.161.172:6893
-
178.33.161.173:6893
-
178.33.161.174:6893
-
178.33.161.175:6893
-
178.33.161.176:6893
-
178.33.161.177:6893
-
178.33.161.178:6893
-
178.33.161.179:6893
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD53b73078a714bf61d1c19ebc3afc0e454
SHA19abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA51275959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4
-
Filesize
1KB
MD5bd81a9b98715f51da0b4df9e96ae91dc
SHA1d3a7df23185f6b7af57ce56dbe63d7988c61789a
SHA256c21c5db56ae09938c6a101885cf7731a433ea14621ec755cda57941c7d2629d2
SHA51286aaed59c6581113d674de21a4cea1d1a86da8f4524ea793f56c8a67179140a63e9eac05f3c0ac0ba6c3a43551ec082f06836cd71a6e913e791fdd2d6ea3a548
-
Filesize
75KB
MD5c696cc53994f5ac31c19a18b0c66c892
SHA1b01c2ff822ff8d4cb5ec96f95225255bd7c34bde
SHA25655deec67d52b66e6de9fb29e63a827a9982bb9b6a9231f2860120298de8953f8
SHA51221e461248f2cd0687688cbd41eda6d7d76a47fbbf85a187015ddc2aa677f4708297d0b4213bf94585fc073161c676877dc532db7b5a7f41258644b08e2588eae
-
Filesize
604KB
MD58b6bc16fd137c09a08b02bbe1bb7d670
SHA1c69a0f6c6f809c01db92ca658fcf1b643391a2b7
SHA256e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678
SHA512b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24
-
Filesize
212KB
-
Filesize
196KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
68KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
108KB