cerber | 40abba5de032810cc879ecd7bd604405e5a20344c293279cffb9a45b5e2b8bb2

Resubmissions

25/03/2025, 07:23

250325-h76czswnv3 10

25/03/2025, 05:16

250325-fx8z1svnw5 10

Analysis

max time kernel
1800s
max time network
1490s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
Size

191KB
MD5

c148dc43bc2ccd6d2ff2dce23bf51b14
SHA1

42f33ac515a422b25a38f3bd81d5b673f83549ca
SHA256

40abba5de032810cc879ecd7bd604405e5a20344c293279cffb9a45b5e2b8bb2
SHA512

cb64fe2390a19bed4e18b4248751feff99418d7677f4f43577c15a6f2064c604e1ab7cdc97a52389b88587c492f6fa8c4231d314b4c1690af1c6b3a9352e6348
SSDEEP

3072:+DxABswxafBRTT7VhGaQAK9EyhSRnCdHnXad3e43k1jtY04UklcEGVWIRdlsLQ:+uBswxoB1XaaQAKthcnWXadVkj3IlcVK

Score

10^/10

cerber defense_evasion discovery persistence privilege_escalation ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\_R_E_A_D___T_H_I_S___571UYNK1_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/1880-7A5A-F09E-0006-4544 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.tor2web.org/1880-7A5A-F09E-0006-4544 2. http://p27dokhpz2n7nvgr.onion.link/1880-7A5A-F09E-0006-4544 3. http://p27dokhpz2n7nvgr.onion.nu/1880-7A5A-F09E-0006-4544 4. http://p27dokhpz2n7nvgr.onion.cab/1880-7A5A-F09E-0006-4544 5. http://p27dokhpz2n7nvgr.onion.to/1880-7A5A-F09E-0006-4544 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://p27dokhpz2n7nvgr.onion/1880-7A5A-F09E-0006-4544

http://p27dokhpz2n7nvgr.tor2web.org/1880-7A5A-F09E-0006-4544

http://p27dokhpz2n7nvgr.onion.link/1880-7A5A-F09E-0006-4544

http://p27dokhpz2n7nvgr.onion.nu/1880-7A5A-F09E-0006-4544

http://p27dokhpz2n7nvgr.onion.cab/1880-7A5A-F09E-0006-4544

http://p27dokhpz2n7nvgr.onion.to/1880-7A5A-F09E-0006-4544

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\_R_E_A_D___T_H_I_S___HABOQ35_.hta

Family

cerber

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>CERBER RANSOMWARE: Instructions</title> <HTA:APPLICATION APPLICATIONNAME="lT9z" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a> <h1>CERBER RANSOMWARE</h1> Instructions </div> <div id="languages"> ☑ Select your language <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> Can't yorMOu find the necessary files? Is the cuqvjf8ontent of your files not readable? It is normal betIAtkDZMcause the files' names and the data in your files have been encrypJted by "CejB9hareNy4rber Ransomware". It mec5E9QBYans your files are NOT damageVqD20TWYd! Your files are modified only. This modification is reversible. FPUq0rom now it is not poss5rible to use your files until they will be decrypted. The only way to dec9dz6ltUBNhrypt your files safely is to buy the special decryption software "CZTD9nhlrerber Decryptor". Any attempts to restr04w0ore your files with the thir9oorn6lergd-party software will be fatal for your files! <hr> You can procTvyeed with purchasing of the decryption softw0um8iye1gare at your personal page: Ple2i3Yha3ase wait...<a class="url" href="http://p27dokhpz2n7nvgr.tor2web.org/1880-7A5A-F09E-0006-4544" target="_blank">http://p27dokhpz2n7nvgr.tor2web.org/1880-7A5A-F09E-0006-4544</a><hr><a href="http://p27dokhpz2n7nvgr.onion.link/1880-7A5A-F09E-0006-4544" target="_blank">http://p27dokhpz2n7nvgr.onion.link/1880-7A5A-F09E-0006-4544</a><hr><a href="http://p27dokhpz2n7nvgr.onion.nu/1880-7A5A-F09E-0006-4544" target="_blank">http://p27dokhpz2n7nvgr.onion.nu/1880-7A5A-F09E-0006-4544</a><hr><a href="http://p27dokhpz2n7nvgr.onion.cab/1880-7A5A-F09E-0006-4544" target="_blank">http://p27dokhpz2n7nvgr.onion.cab/1880-7A5A-F09E-0006-4544</a><hr><a href="http://p27dokhpz2n7nvgr.onion.to/1880-7A5A-F09E-0006-4544" target="_blank">http://p27dokhpz2n7nvgr.onion.to/1880-7A5A-F09E-0006-4544</a> If tAzUugyshis page cannot be opened  cliIjcnMck here  to get a new addrOsT45Uoess of your personal page. If the addreFzrss of your personal page is the same as befohtC4hhtPUre after you tried to get a new one, you cXQDTt58iban try to get a new address in one hour. At thJGeTfDghis page you will receive the complete instrvfcuctions how to buy the decryptiJjtXhon software for restoring all your files. Also at this page you will be able to resKA4vuNMtore any one file for free to be sure "CerbeP8r Decryptor" will help you. <hr> If your perXh1nsonal page is not availaiPjC2ble for a long period there is another way to open your personal page - instaZllation and use of Tor Browser: <ol> <li>run your InteGBnrnet browser (if you do not know what it is run the Internet Explorer);</li> <li>enttM9Mer or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loadBing;</li> <li>on the site you will be offered to doicIE8LBK2lwnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ruOTX3n Tor Browser;</li> <li>connect with the buttOBgw4on "Connect" (if you use the English version);</li> <li>a normal Internet brok4mwser window will be opened after the initialization;</li> <li>type or copy the addAIFttR5ress http://p27dokhpz2n7nvgr.onion/1880-7A5A-F09E-0006-4544 in this browser address bar;</li> <li>preass ENTER;</li> <li>the site shoAHP5QJmj7uld be loaded; if for some reason the site is not lo8WYYsl6Tuading wait for a moment and try again.</li> </ol> If you have any prOmVoblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searcXh bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use. <hr> AdditVY0NUUional information: You will fifnnd the instrurBEUqRctions ("*_READ_THIS_FILE_*.hta") for redMJTPMUstoring your files in any fKbPZJfWolder with your encarypted files. The instrOnm6uctions "*_READ_THIS_FILE_*.hta" in the fdIVsiNtolderZus with your encryAx0AH6xRFpted files are not virwTLwlZrFuses! The instrucadG1tS3D1tions "*_READ_THIS_FILE_*.hta" will heoroKcGYlp you to decETGKtv0rypt your files. Remembe7hxNl7r! The worst si60zFBtuation already happmCKio1Gened and now the future of your files deVFRjcpends on your determssmxination and speed of your actions. </div> <div id="ar" style="direction: rtl;"> لا يمكنك العثور على الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟ هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware". وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها. الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor". إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك! <hr> يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية: أرجو الإنتظار...<a class="url" href="http://p27dokhpz2n7nvgr.tor2web.org/1880-7A5A-F09E-0006-4544" target="_blank">http://p27dokhpz2n7nvgr.tor2web.org/1880-7A5A-F09E-0006-4544</a><hr><a href="http://p27dokhpz2n7nvgr.onion.link/1880-7A5A-F09E-0006-4544" target="_blank">http://p27dokhpz2n7nvgr.onion.link/1880-7A5A-F09E-0006-4544</a><hr><a href="http://p27dokhpz2n7nvgr.onion.nu/1880-7A5A-F09E-0006-4544" target="_blank">http://p27dokhpz2n7nvgr.onion.nu/1880-7A5A-F09E-0006-4544</a><hr><a href="http://p27dokhpz2n7nvgr.onion.cab/1880-7A5A-F09E-0006-4544" target="_blank">http://p27dokhpz2n7nvgr.onion.cab/1880-7A5A-F09E-0006-4544</a><hr><a href="http://p27dokhpz2n7nvgr.onion.to/1880-7A5A-F09E-0006-4544" target="_blank">http://p27dokhpz2n7nvgr.onion.to/1880-7A5A-F09E-0006-4544</a> في حالة تعذر فتح هذه الصفحة  انقر هنا  لإنشاء عنوان جديد لصفحتك الشخصية. في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك. في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك. <hr> إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor: <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان http://p27dokhpz2n7nvgr.onion/1880-7A5A-F09E-0006-4544 في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه. <hr> معلومات إضTQfg9dIJjEافية: سbDzMsWوف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة. الإرش5DRادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك. تذكر أن أسوأ موBzob0Nقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك. </div> <div id="zh"> 您找不到所需的文件？ 您文件的内容无法阅读？ 这是正常的，因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。 这意味着您的文件并没有损坏！您的文件只是被修改了，这个修��

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber
Contacts a large (1117) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2672	netsh.exe
2024	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe

Loads dropped DLL 1 IoCs

pid	Process
4408	SystemSettingsAdminFlows.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	SystemSettingsAdminFlows.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpA170.bmp"	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\program files (x86)\office	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\program files (x86)\outlook	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\program files (x86)\the bat!	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\program files (x86)\word	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\program files (x86)\	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\program files (x86)\onenote	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\program files (x86)\steam	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\program files (x86)\excel	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Logs\PBR\INF\setupapi.dev.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\INF\setupapi.dev.log	SystemSettingsAdminFlows.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File created	C:\Windows\Logs\PBR\Panther\cbs.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\diagerr.xml	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\_s_33F1.tmp	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\_s_3720.tmp	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\PushButtonReset.etl	SystemSettingsAdminFlows.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	C:\Windows\Logs\PBR\CBS	SystemSettingsAdminFlows.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\cbs_unattend.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\setuperr.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\setupact.log	SystemSettingsAdminFlows.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File created	C:\Windows\Logs\PBR\Panther\UnattendGC\diagerr.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\UnattendGC\setuperr.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\Contents1.dir	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\setup.etl	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\ResetConfig.ini	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\INF	SystemSettingsAdminFlows.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	C:\Windows\Logs\PBR\CBS\CbsPersist_20250314151208.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\cbs.log	SystemSettingsAdminFlows.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\Contents0.dir	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\DDACLSys.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\MainQueueOnline0.que	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\PushButtonReset.etl	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\BCDCopy.LOG	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\BCDCopy.LOG1	SystemSettingsAdminFlows.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File created	C:\Windows\Logs\PBR\Panther\DDACLSys.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\Contents0.dir	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\diagerr.xml	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\_s_3720.tmp	SystemSettingsAdminFlows.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File created	C:\Windows\Logs\PBR\Panther\diagwrn.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\BCDCopy	SystemSettingsAdminFlows.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File created	C:\Windows\Logs\PBR\CBS\CbsPersist_20250314151208.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\ReAgent\ReAgent.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
File created	C:\Windows\Logs\PBR\INF\setupapi.offline.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\diagwrn.xml	SystemSettingsAdminFlows.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5464	PING.EXE

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
4532	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133873610666953668"	chrome.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5672	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5464	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2368	chrome.exe
2368	chrome.exe
4180	LocalBridge.exe
4180	LocalBridge.exe
4180	LocalBridge.exe
4180	LocalBridge.exe
4180	LocalBridge.exe
4180	LocalBridge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2756	OpenWith.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5452	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
Token: SeCreatePagefilePrivilege	5452	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeDebugPrivilege	4532	taskkill.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeShutdownPrivilege	2368	chrome.exe
Token: SeCreatePagefilePrivilege	2368	chrome.exe
Token: SeBackupPrivilege	4408	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	4408	SystemSettingsAdminFlows.exe
Token: SeSystemEnvironmentPrivilege	4408	SystemSettingsAdminFlows.exe
Token: SeBackupPrivilege	4408	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	4408	SystemSettingsAdminFlows.exe
Token: SeSecurityPrivilege	4408	SystemSettingsAdminFlows.exe
Token: SeTakeOwnershipPrivilege	4408	SystemSettingsAdminFlows.exe
Token: SeBackupPrivilege	4408	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	4408	SystemSettingsAdminFlows.exe
Token: SeBackupPrivilege	4408	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	4408	SystemSettingsAdminFlows.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe
2368	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4072	OpenWith.exe
2756	OpenWith.exe
1844	OpenWith.exe
4408	SystemSettingsAdminFlows.exe
5400	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5452 wrote to memory of 2672	5452	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe	78
PID 5452 wrote to memory of 2672	5452	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe	78
PID 5452 wrote to memory of 2672	5452	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe	78
PID 5452 wrote to memory of 2024	5452	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe	80
PID 5452 wrote to memory of 2024	5452	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe	80
PID 5452 wrote to memory of 2024	5452	2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe	80
PID 2368 wrote to memory of 4984	2368	chrome.exe	86
PID 2368 wrote to memory of 4984	2368	chrome.exe	86
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5044	2368	chrome.exe	88
PID 2368 wrote to memory of 5044	2368	chrome.exe	88
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 5040	2368	chrome.exe	87
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89
PID 2368 wrote to memory of 2440	2368	chrome.exe	89

C:\Users\Admin\AppData\Local\Temp\2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5452
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2672
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2024
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___U4ITN_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:744
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___H5Q1ID9_.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:5672
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4532
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5464

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea926dcf8,0x7ffea926dd04,0x7ffea926dd10
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1956,i,4979255246862815479,1700472579788508714,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1428,i,4979255246862815479,1700472579788508714,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1984 /prefetch:11
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2392,i,4979255246862815479,1700472579788508714,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2312 /prefetch:13
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3208,i,4979255246862815479,1700472579788508714,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,4979255246862815479,1700472579788508714,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4200,i,4979255246862815479,1700472579788508714,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3800 /prefetch:9
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4632,i,4979255246862815479,1700472579788508714,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5348,i,4979255246862815479,1700472579788508714,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5368 /prefetch:14
  2⤵
  PID:5132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5536,i,4979255246862815479,1700472579788508714,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5548 /prefetch:14
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5464,i,4979255246862815479,1700472579788508714,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:6024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5768,i,4979255246862815479,1700472579788508714,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:2564

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4112

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\234ebcd2b2084bc79553746dc74f64d3 /t 3040 /p 744
1⤵
PID:784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4520

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
PID:5624

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3560

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4448

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2756

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1844

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetCamSystemGlobal location 1
1⤵
PID:4220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:5116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s FDResPub
1⤵
PID:436

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:5136

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4408

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3404

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1384

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5516

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5400

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___U4ITN_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- System Location Discovery: System Language Discovery
PID:392

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\LocalBridge.exe
"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$SysReset\Logs\setupact.log

Filesize
109KB

MD5
ea32433077afeff55b66250be8da5920

SHA1
fa0f14b5289cd4c2883d02845f7687bfa09b121f

SHA256
07f4f5db891c79c2fbdf7e2350e28fc2aa6302baf805b55592b6641a6fbc1f19

SHA512
13f115aa65e996ce4fa9d689b5193a359d7e855efcd33f1464965dadcc1882f18626e466d313cc6c9364a92a38db1d405efc58cd3422f08ae5bd6e1fc6297ec1

Download Submit
C:\$SysReset\Logs\setuperr.log

Filesize
974B

MD5
69976bbb178d99e7fc69d4f4a7448da4

SHA1
1865c7d83371bd7e73f497e1c70781234300b7d2

SHA256
65c3329dddd581825df858d9f450190f9ecd06d178105b7b1b25573856ca3d81

SHA512
848b92eb97cdb897e1f4ccae09514e1952a61480d54dca5aa9cc6d52a5ac97fbd7b3d3ad5d29a85286db3cdb04648817500ead94cbeed88028451a98d299d03d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
609ccb35612593a6cf78b7c5832c153e

SHA1
714f215de981ed1f82f435adc696e5c70efdcfae

SHA256
00af279279b240106af69b683068285c78261a639431fd20ff6f45685467aa23

SHA512
35d5f81a16aaedc3b61c6555663fedd0928ce31b4e853c5558a83516df6969d638a2e1b089fdac543b5fc791d86c747b30440cc6696ea3a1fbddcac0e9c90b16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
48a735237014a108d1ba54b3062ddab8

SHA1
c62b24108e6b4a60664db9d1d1ffe5b744575f4e

SHA256
dbbccd6bdd1b1bc855a78a1d2beaadd71834a19613fd5f739bf25cfbfa806098

SHA512
b8f8a1f1133e711cf19f782d92ee53805b8354a607f8c644bac4fb4951521d3ff5daf012a319c451f96ab6d8817a249566060bedfca2015fb84a322087315b9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8100701cb9cc41b2b099b5cbbfdbb210

SHA1
b2317f10e94fb69f15afb8416201467d62045f5f

SHA256
081a3db8ce2244400ffda168dc605d09986ad93638b6220179ffe544762edaf4

SHA512
6b6639602f5c21ee69ebaf770b020a02bd3c39319065f0f5bf5ba9a87a43277814fb96f4f50081245b91f7b0f9b63c3f88aa886b8c13599c9f6bc0b974255a88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a321894a5b74e741ae41088fc5b3a1bf

SHA1
5bdb1fa9b1718f6e4c37d75544edf37afd766396

SHA256
fc7fa7628b3483b95b773bc8ae0415dd3ae06a12891a723029da2c60ad7b864a

SHA512
70dff5efe428e8d79d37babdc1dfe4e906aa90f58f3bf843bd0d70e22ebda5f174a29665a15efe162c2ea1b597a0885bdd1e1b44e06b37ea38935d425df8ac55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
841d0222f212e8ff149987874534d340

SHA1
9aa35322a3bf38aaf9795e9f2029f72942819c17

SHA256
8e9ad68bafaaa15f05ffe09838fe118d015a3788a199b81e6f63df70e1a381f1

SHA512
99154acfddba3fa68804b60c6533f0bc1d5918539ef4babecd27e3a4454e9949710c1177ab16971bd20614e017b122ac99b25d9d0dba513f923839b84f3bf330

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3129ba3b739514c8a3d2775413f9497f

SHA1
c9ff18d904afa430d04af4a05f17eba09854c209

SHA256
df9099f7f654c8fb8282b8a94e58ef8b03d1aaf12b375bbe03ba6452c86c6ac1

SHA512
fe0c619b9c6df58876af9578d7ce0259c089cd273f9810001c699ac5041eeba19c308d6176793786d64d6dbbdc6f6ef146e40efe8bf8624c0444779877117f39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
37ab5fa25be86666dad99e821f35cb0c

SHA1
0100e6289e41f023d50a0abde21c963d5cf860be

SHA256
a0b51041eaa4c1a540b6ef59d69fc0bdf9b55837c3b7a3f8c6658df5282e9936

SHA512
c505c729c9635f3c3926cf688884630e25cdd7f8c5a2a2b1540a4306e26f248885de745d13737e6316209451bbe3887a908a977724a33b3286226a8fdf0b8f78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57db8b.TMP

Filesize
48B

MD5
009c7fdec846ac810b4822f6ccfd0380

SHA1
cd3b16318c0c589195c4b9af519c64aee8c0bfa2

SHA256
2d59bb9054befe67413806ef0b42bb4411c6530a32e747ab87d781b99d40af03

SHA512
50b0fabfc545493a0915c9d31e4875551c36252d7dfeeca845d13d9d78628417b17c4b1293506c62d0f3b4d43c4e783c15b8c5cdb89a2b4691be16ab236647c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
88a20e773b830c9c8cc26a13ef984786

SHA1
b5d145f5a06c5fd80e0f88accc5c4bd03fa40fed

SHA256
7edf474b24e07ecbf27b49d084d73f168ca85e3d3db3d433f20f2a7d111ff40c

SHA512
5da7db9e270b231c99fcf5fdae06295f651b1823017c178ff9606dcbd9850f82ca64f1009ff4005d6db9f9c30ac573aa17c43114f83213ccd434c101c6868e26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
0753043fe1cf9844cfe18745580d7f7f

SHA1
42aeddae114c57edda9cfc0dee2d3f0348ef1d04

SHA256
8dc1265427512f44682b362e9f91f727dc35b0f62deacefed796d70257dbd48b

SHA512
f70872f84444b78e8eb99d3e8f69941b17bfb4bd188dcc92815a8766b80ef88e34712341b83e6a2cec270db48345be2cc27f18ec00a6a0d5bce471360cb2d86b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
50b8e820c7c68fc0bda0689e1015a579

SHA1
e101ba681c7ecd90ab00521bb312883fe0caf5cc

SHA256
9e4c0b9667d55d59cacc815727cf7ff5d5b4b59f034483cb0aa15d921018d23b

SHA512
802c0ac52aeb09d6390ce801ef0a69c71e9fdf8fedb39a1fecd42cc33b6685662522e4569819b7444e35804c8f76aca7a6a6484289981b1be9233da814da0e73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\_R_E_A_D___T_H_I_S___571UYNK1_.txt

Filesize
1KB

MD5
7d494fdacb6145a477c9252fc096b5dc

SHA1
b6d22d5855ac42908eebe02dcf37355840cf7b37

SHA256
f87cc1fb55ef1fb21d8ce9c11f05dd7af1ae1279d46dca6194472f5b753f1417

SHA512
12fcfc2d7743320a7308f98a147c9c59eb8b66446bb2a67e102ff4851a32fbfed4f02641ae51926d05763e8f254dfd80c5a3c0528dd2a7f6d4d99a287a9296f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\_R_E_A_D___T_H_I_S___HABOQ35_.hta

Filesize
75KB

MD5
cb258be6148c629928fe2a4af756c4a9

SHA1
ea1a437f7fd5bbdd6f7294ce83d507ef9a5d8bb5

SHA256
e7b14170040dee48d7f1d04d6078ef8a134506df5df1419ac1b3de757d738ecc

SHA512
6fb9f4651304be6bfb54bd3166e80849d99baf8f3800b0dd8e19e3424c50ce31401cc3bef633630c64333e0fee8a4ff5229d612b7220628c00c02fb45714b63f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-3-25.725.3560.1.odl

Filesize
706B

MD5
268eac78deffe1815d3b12ed427cd9f8

SHA1
bccaf016ca7e6939aa7ec738492199f6f787eae3

SHA256
63138d843e1ec76777923f37341c145b3b5d66ded5fe9d9f3c81d452eb402f9e

SHA512
9a55315b1144b792deffc3402dc5ffa3f37f45a63cdaad2ebbd0dfb2eec933b356d093d428b7d85842c4c0ca8852483df30879d865d54f8992a79e1e863582bd

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\6ea1cd35-d491-44e9-9f95-fa0264765793.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9103E2B1-C5CA-4EC3-BA2B-76819ABC2585}\ssshim.dll

Filesize
148KB

MD5
3de653713e705e001c3f0be1efc51ed3

SHA1
63565592c266226d36604933e51725e90010da25

SHA256
c78ebef77e03135b3cea0705d4c259d782ed80746faea4e9f4a851e494fa94f9

SHA512
7db1063fa2a7c0bcf394d7a20984ab1b501cb24fae5e801addace77424ba773c948a87d8c3fb38f06366b1478f70ba0278c48f219d224ff6e904ff2ee161fb4e

Download Submit
C:\Windows\Logs\PBR\ResetConfig.ini

Filesize
167B

MD5
e8b67f9f170a171d59b1020f686f09ce

SHA1
19428a2ab0e7f64ceaf7cdc723916a9f6ebf26bd

SHA256
e88065016cfd248d4d0f5199becb3d9233a4d96bcb60fa5a7c2724c2cc71ac1d

SHA512
8616c3065e84f11acd8cbe57e3dc06fab843787ccccec062ec873ba7e97eeb6008cb61b2e35a71bbbdd61be800ad96af6a0dbbbcca42992ed2a5ee0681e156a8

Download Submit
C:\Windows\Logs\PBR\SessionID.xml

Filesize
106B

MD5
9185a5c5fa3d309693c24c3e7593c82b

SHA1
48fb38d7afee9b2f67d6b8d1bc812200f8ee328c

SHA256
dcdf6e3ddd654f9a937ccfbfbf42209d704f5ab3881522239ba0c4ddfa3b74fd

SHA512
22fb6d46a5057d03c4264c8f78e71e289ae88e7f57efc6180742f8cbcf866d04dae673d717db0d9a50fd5c67774a1be24e630ad66b0d7a34ffa762c4f51c12f6

Download Submit
C:\Windows\Logs\PBR\Timestamp.xml

Filesize
42B

MD5
807827f29af430c584b8e8114f44f66b

SHA1
2403f6c2168ceaea99a2b76841975f4f348d169d

SHA256
e38e32816d2dd5f893428b88b39086a35de8392214e8b7c6b83b28c8cd5f55a4

SHA512
e2d1ad02461ccceab6e5e191976e5b558ebb967ff7dd2311e35837e0682aa5d4cb3b83763c140a500c46d23749b1c681f895fab6cd668b31aac8bf312a7efa98

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
10KB

MD5
890b1e631c9b813cfde26537587929d1

SHA1
8eb837780070b3a750a115cb2c3dc7a90801d900

SHA256
9457fa169c9c029a72e744f21a104b6c3bf9869a178f4d63699888f4e142f4dd

SHA512
2aec1cf99176cf4cc5238fad4e70cf9d4582994ad0eb1b6ca53d8095fc701855d34bf6aa1cf1859c8456b79830aedcbff4edfcf972b082e309dcca271596dd19

Download Submit
memory/4180-852-0x000002B118CB0000-0x000002B118CDC000-memory.dmp

Filesize
176KB

Download
memory/4180-854-0x000002B132F30000-0x000002B132F38000-memory.dmp

Filesize
32KB

Download
memory/4180-853-0x000002B132F20000-0x000002B132F2A000-memory.dmp

Filesize
40KB

Download
memory/4180-856-0x000002B1346B0000-0x000002B134758000-memory.dmp

Filesize
672KB

Download
memory/4180-857-0x000002B132FD0000-0x000002B132FF2000-memory.dmp

Filesize
136KB

Download
memory/4180-858-0x000002B132FB0000-0x000002B132FC4000-memory.dmp

Filesize
80KB

Download