cerber | e53d33dac3813096d6630fd1b3af960e4d7264ffbce5d85d31783c36489d27cd

Resubmissions

09/04/2025, 16:37

250409-t42q6sw1bs 10

09/04/2025, 15:52

250409-ta325swsht 10

Analysis

max time kernel
899s
max time network
832s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2025, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deception-rules (11).csv
Size

8KB
MD5

10fd331f3c4fd86806f8e32c38e912b6
SHA1

85de90ff6468df5b1e3a701af4aa32bc3e6fc387
SHA256

e53d33dac3813096d6630fd1b3af960e4d7264ffbce5d85d31783c36489d27cd
SHA512

9bbfaf13263c8eea5b6950962568d59dbdb82e025e552432ceabc67d0d050437111b4a8d93d76244e5abe0e1dd1c85a0cfb34e5462e3256259a261fede19b1ed
SSDEEP

192:Pz9wf2TEKKaVO+HpCpdHAAYoeytnTHznv4hDX:GNankcgQL

Score

10^/10

cerber defense_evasion discovery persistence privilege_escalation ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___A4H6_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/FECC-DE04-4AF3-0446-903E Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/FECC-DE04-4AF3-0446-903E 2. http://p27dokhpz2n7nvgr.14ewqv.top/FECC-DE04-4AF3-0446-903E 3. http://p27dokhpz2n7nvgr.14vvrc.top/FECC-DE04-4AF3-0446-903E 4. http://p27dokhpz2n7nvgr.129p1t.top/FECC-DE04-4AF3-0446-903E 5. http://p27dokhpz2n7nvgr.1apgrn.top/FECC-DE04-4AF3-0446-903E ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://p27dokhpz2n7nvgr.onion/FECC-DE04-4AF3-0446-903E

http://p27dokhpz2n7nvgr.12hygy.top/FECC-DE04-4AF3-0446-903E

http://p27dokhpz2n7nvgr.14ewqv.top/FECC-DE04-4AF3-0446-903E

http://p27dokhpz2n7nvgr.14vvrc.top/FECC-DE04-4AF3-0446-903E

http://p27dokhpz2n7nvgr.129p1t.top/FECC-DE04-4AF3-0446-903E

http://p27dokhpz2n7nvgr.1apgrn.top/FECC-DE04-4AF3-0446-903E

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___R7PMH_.hta

Family

cerber

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>CERBER RANSOMWARE: Instructions</title> <HTA:APPLICATION APPLICATIONNAME="LOLRAsj" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a> <h1>CERBER RANSOMWARE</h1> Instructions </div> <div id="languages"> ☑ Select your language <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> Can't yoxBoUu find the necessary files? Is the clXai9ontent of your files not readable? It is normal beqN7EcnzP4cause the files' names and the data in your files have been encryp1uVt9r7FMEted by "CespG6rber Ransomware". It me2aA3gePans your files are NOT damagessNszZ24wd! Your files are modified only. This modification is reversible. FiR779rom now it is not poss9pYHYlOsfYible to use your files until they will be decrypted. The only way to dec9A0xDrypt your files safely is to buy the special decryption software "C1bhVBUCerber Decryptor". Any attempts to reste7n6z7d5ore your files with the thiradZpjEUbyBd-party software will be fatal for your files! <hr> You can procyk28Teed with purchasing of the decryption softwd8foyare at your personal page: Plee3y1ase wait...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/FECC-DE04-4AF3-0446-903E" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/FECC-DE04-4AF3-0446-903E</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/FECC-DE04-4AF3-0446-903E" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/FECC-DE04-4AF3-0446-903E</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/FECC-DE04-4AF3-0446-903E" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/FECC-DE04-4AF3-0446-903E</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/FECC-DE04-4AF3-0446-903E" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/FECC-DE04-4AF3-0446-903E</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/FECC-DE04-4AF3-0446-903E" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/FECC-DE04-4AF3-0446-903E</a> If tGhis page cannot be opened  cliWBhiA3Pck here  to get a new addrUdGNC1Whess of your personal page. If the addrean211IQowGss of your personal page is the same as befoSNyre after you tried to get a new one, you cgggBIB0vZan try to get a new address in one hour. At thtipnaU8is page you will receive the complete instrP7d0vaLuctions how to buy the decryptiGWBfxSnnon software for restoring all your files. Also at this page you will be able to resAAOqiPhV14tore any one file for free to be sure "CerbeuFBFM6ubxr Decryptor" will help you. <hr> If your periPKtL5jsonal page is not availaO9ble for a long period there is another way to open your personal page - insta7sFTIllation and use of Tor Browser: <ol> <li>run your Inte6rnet browser (if you do not know what it is run the Internet Explorer);</li> <li>enthlsner or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loadqing;</li> <li>on the site you will be offered to doAibYQ6dlwnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ruxcn Tor Browser;</li> <li>connect with the butthxX2pvyon "Connect" (if you use the English version);</li> <li>a normal Internet bropxWDjwser window will be opened after the initialization;</li> <li>type or copy the addjrHsK7Qqress http://p27dokhpz2n7nvgr.onion/FECC-DE04-4AF3-0446-903E in this browser address bar;</li> <li>preDRZYQmRI4Css ENTER;</li> <li>the site shoxwL4YFBDbuld be loaded; if for some reason the site is not lojqM8sivading wait for a moment and try again.</li> </ol> If you have any prDpwhlyR2UCoblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searc2qOiuh bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use. <hr> AddituL3ional information: You will fi7I6IG3nPnrnd the instruUfU6OIczrActions ("*_READ_THIS_FILE_*.hta") for reYRfstoring your files in any fDXLolder with your enco6Bsrypted files. The instrnrDNIKQbO1uctions "*_READ_THIS_FILE_*.hta" in the fIBhjYEtrolderGcmsjCs with your encryfWhl7c86pted files are not virfqKiijuses! The instrucVXfM0YCVxtions "*_READ_THIS_FILE_*.hta" will heBAnX8Flp you to decWyc14yAPrypt your files. Remembenor! The worst sirtuation already happCP9BWQened and now the future of your files depLN1YclEpends on your determp91HwEeL8ination and speed of your actions. </div> <div id="ar" style="direction: rtl;"> لا يمكنك العثور على الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟ هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware". وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها. الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor". إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك! <hr> يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية: أرجو الإنتظار...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/FECC-DE04-4AF3-0446-903E" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/FECC-DE04-4AF3-0446-903E</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/FECC-DE04-4AF3-0446-903E" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/FECC-DE04-4AF3-0446-903E</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/FECC-DE04-4AF3-0446-903E" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/FECC-DE04-4AF3-0446-903E</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/FECC-DE04-4AF3-0446-903E" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/FECC-DE04-4AF3-0446-903E</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/FECC-DE04-4AF3-0446-903E" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/FECC-DE04-4AF3-0446-903E</a> في حالة تعذر فتح هذه الصفحة  انقر هنا  لإنشاء عنوان جديد لصفحتك الشخصية. في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك. في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك. <hr> إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor: <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان http://p27dokhpz2n7nvgr.onion/FECC-DE04-4AF3-0446-903E في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه. <hr> معلومات إضgBNrافية: سZHNkvszjوف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة. الإرشDoادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك. تذكر أن أسوأ موG0eGقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك. </div> <div id="zh"> 您找不到所需的文件？ 您文件的内容无法阅读？ 这是正常的，因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。 这意味着您的文�

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber
Contacts a large (1132) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5612	netsh.exe
3388	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	cerber.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
113	raw.githubusercontent.com
114	raw.githubusercontent.com
157	raw.githubusercontent.com

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	cerber.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpC0C.bmp"	cerber.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\microsoft\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\the bat!	cerber.exe
File opened for modification	\??\c:\program files (x86)\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\onenote	cerber.exe
File opened for modification	\??\c:\program files\	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	cerber.exe
File opened for modification	\??\c:\program files (x86)\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\steam	cerber.exe
File opened for modification	\??\c:\program files (x86)\	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	cerber.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	cerber.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cerber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1672	PING.EXE

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
3992	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133886915232375933"	chrome.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	cerber.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
220	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1672	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5464	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
5688	chrome.exe
5688	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeCreatePagefilePrivilege	1684	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
5464	EXCEL.EXE
5464	EXCEL.EXE
5464	EXCEL.EXE
5464	EXCEL.EXE
5464	EXCEL.EXE
5464	EXCEL.EXE
5464	EXCEL.EXE
5464	EXCEL.EXE
5464	EXCEL.EXE
5464	EXCEL.EXE
5464	EXCEL.EXE
5464	EXCEL.EXE
5464	EXCEL.EXE
5464	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 5992	1684	chrome.exe	101
PID 1684 wrote to memory of 5992	1684	chrome.exe	101
PID 1684 wrote to memory of 4212	1684	chrome.exe	102
PID 1684 wrote to memory of 4212	1684	chrome.exe	102
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 3296	1684	chrome.exe	103
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104
PID 1684 wrote to memory of 5776	1684	chrome.exe	104

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\deception-rules (11).csv"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffede7bdcf8,0x7ffede7bdd04,0x7ffede7bdd10
  2⤵
  PID:5992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1640,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2112,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2420,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2588 /prefetch:8
  2⤵
  PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3252,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3272,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4312,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4328 /prefetch:2
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4744,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5384,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5392,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:5888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5640,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5772,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5896,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5636,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:5612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5624,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3544,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3480,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3532 /prefetch:8
  2⤵
  PID:5412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3264,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5656,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3300 /prefetch:8
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=4448,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4648 /prefetch:2
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5984,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5592,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3732,i,9717300804335317945,6125459618574744611,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  PID:4560

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:6060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4256

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3944

C:\Users\Admin\Downloads\Ransomware.Cerber\cerber.exe
"C:\Users\Admin\Downloads\Ransomware.Cerber\cerber.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5292
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3388
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5612
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___71B5ZF_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4768
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___GK95_.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "cerber.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:3992
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1672

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\43821d6b-5a58-4464-a32c-01a54db80100.tmp

Filesize
153KB

MD5
c1620e4195482711b4644522058b5174

SHA1
c3d04233e2e90ff2a01668863fbc04092998d122

SHA256
e9642b344bfa12e528694142aee8fa414e6fa7fbfdf0f342c2ccda7e159d24a9

SHA512
7a441582f405600b5680e2f1e3379ae591b5bd40e066a3a261d2457bba3fffe77d67e0b2eb01ea847119c7b65d9140133e18cab54c8dee893dc0e78e5f871c42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\363fa5e3-18bf-44b2-b39b-570700192b26.tmp

Filesize
12KB

MD5
d708d9befcc77ab14bdb0ea483d9841a

SHA1
46cd43013e9d42ccefe4d00527b92a4e8bd081cf

SHA256
4deffd31a7bd62b3a68c4233d790877ccb1c0eb0a7734c58cc8f3cfd7e39cede

SHA512
cb691c79e773b58e0edd95080d6852ab559b02d65e26220b37b514e208592e2f2bab575368860ece6199d0b45c56856aae87fdca8667571839206755111c3f4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8b662302-55e7-4665-8263-f578e8bb00d0.tmp

Filesize
12KB

MD5
92f83e38b850ce1f775394ff4414f568

SHA1
6b77fbc7a2aeb67b933f20fcc8929f82963c1c37

SHA256
99d3abac8e62f5ce25ed19e6c9ac4ae05ef7b5d8ec0bb15ba06eeb756234544d

SHA512
9e7f8b71ee02315a14938f57e9b9fa795009c93c459e5a6a876624a84648952450fa51d3720d62553e1c16d5862686f8f0dd3f2bbd8c7d00af6219b95ce45745

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0b9e60a10d5dbbb4ac0cf6d352c2ced2

SHA1
639a3f0cb61722e12fbd494a131cb71fdcef534c

SHA256
7f4d90bdd9ce983a57a050bc9a03b10e39ac7f4df0fcb425ef80bd71af581fd6

SHA512
ec77cb314bf47788b2f724f980b588ae2819891d267dd9108901b2a3c991ff9b2bc80c4c97dffd5ca3150608498da875da14ba6db5f6e04a8a564f9d265a8b3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
2KB

MD5
190062a1b3fdc18c6108ba886772488e

SHA1
3706ce341b510fd5f6978c9f5bedd2ae23f9da82

SHA256
5da04eb9b55f429fb210a295ae5db38337c811822cf6b2b27b08aafdab1ff949

SHA512
33a8bcc05cf3915fcdedde5a0c10ee11cf20ec08f037bb531e11278c5e5df87c1e75dfc05316f1ad97396fd4efefea9433d22e86da87bd979beaddf78572a544

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
2ec257ab0f737f9f8fbbe2474405d48d

SHA1
58f65ce4fa57156611568ea89f16ee3320861dc4

SHA256
5270e759b2766455d904ccd01613caec8620659a4834d3d3a95bab6035c14625

SHA512
b539b87e2fd6b7ed264ab810de3c24472bdc92fe6dbc6f7f70a1a8b5d11641297498b8e82306b6f4701351f237846b0848ed770241812fd9b2af7a49d33b6d41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
42e5a39b247aa750d74bf5e262370984

SHA1
ecba1ddf670c63ab4bd9f68520d618ca53254fbe

SHA256
218b7c8c08d3181e28e76b9eff18911454368bb3e320e7119b880f79fb95c92d

SHA512
00fb4546528564a799be22e499ead5a1f28c7ffd438e02aa2f50ead9a1db177f36de3b34d29c5631549180d551187a4be3f8a14e93c7031aca640f8ec59468a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c2d640b7dbdff983c4af2f05c7976b32

SHA1
e05c1324f1e0f57cb98358897d7a52b075e4745b

SHA256
6dd11d5a9fa69195b53541c0ad5b86f63e60a6d5d90701de1c8ffc1a3a53f13d

SHA512
6c4fd5ecddcf8ea08241b64544a9ce418063b1bd2e69fcdf85b97df68c99c07ddf40c78feb4a7d991cfe7ece77d13da6e282ddf4db21153879ac7d85399176fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
f980a029a4bd653bf53987c597fd72f5

SHA1
f2b2729f5135faa0fb6fbc39279f6fd3f7d2d313

SHA256
07622a0a35f6864913a08b0093b6f891aa47ca6e6e71533181cf4859740a41f7

SHA512
056d28321be869ee455dec160afafee8c725d7b802f021f278e82e51f9e26f15c272f3105b18b9a5f9731ca45d8a099db0fe6c162ce8a58ca08a2fe9b73e2222

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
771ffb0b7ed01debc3568553e94dd106

SHA1
e85f19fc533e86babd3aabe926bde9d3818cf890

SHA256
5a652999b248fa32fb0c99e65886238c9fa7140c96edacd3891100ce9c1602e4

SHA512
5728619b185b4fbb15ebdabd5c459241ccce8a74de50e255c91b5afa42833425a0274316dddec3ef9824beb29cc93235eae9ddfa46d7674e2bb80b95b92d4fba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c22559393ea1a6c36e4af59d799d8fa4

SHA1
2f39fb682921dfda006e01a131ed47c14153b206

SHA256
983f5fb62a934be060acec9945fd286847f51d0b2fc0120b558e2c5d97f72884

SHA512
39f4774fef7b0bf28d53e08581a080c16e95455ee57ccfb50a286f798b738de02119e646870b5aa009338c0539ee6fd46bffa7d6628715970c9801d54a5036e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c97b53ebc9031b9dfb7e70b231b03a41

SHA1
f3a5adc5baa144f36feafe1cedb6ec2cea55da8e

SHA256
0f1427c25b04d08fb35542c9b0e1d4bfe90b5e7ede3f9fcb6fb11f62c02ae8b2

SHA512
914fd6b5c17267a66fd6fe75f76669af0e31e31b0a7e3ec7b14ff6ece5fe0f27dbe0001190310ce32dd8c3c7c5c280e1db9b4b12be04da0af5fd6ebea9e54d40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
e3a9d8b2d08bf61d6d2a862e114286fc

SHA1
67c328073aa7919403d3cda3e374b1094e71d075

SHA256
077760316ebb5f762dddaf75ace3f38d56391f50b8ee1354c88ebe573153ebc0

SHA512
abea3c9017dd89c0e582fe14ed16523f429e02903103012ea740893ba29030ab9aed79fc283761886f5efb544f2372d8112005192c37e920f2c914e6870bea23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
94978e8889069302e40d8ceac8a1ea67

SHA1
03cc3fbc0003c34dc7020b94b028e47d73492770

SHA256
93a725a510d2b2a6a0d29b543cd22c1142c169658c238c5705711acf02aee4e9

SHA512
218ec4f7b4864a5733e5d58855734387bcac5a5c077c2537f494424803838011dbc58538b078108e27626f2a2bdb10c0aa2215ea604af9ad615cea886a5ed7a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
8f3184028ead6b5ace72e8c378b6115d

SHA1
8661acaae12f90ad406c6968a1876779ce01f6af

SHA256
05780f75f099cc48f3e08c8819029b83616a3edccca404634a40581e1fd90d60

SHA512
8964c9c8497ca8799cb5a4aa9b20f86e386d5c4760e0c2f0a844295b85a8bc3c4c53f2d66553235dd93011358de5fe42827eed9b5ace8d047f61a949d0736656

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ff40.TMP

Filesize
48B

MD5
221232c522af70458d96b02337757dd5

SHA1
5f721eadb728612e0809938b187cd442d99b06d1

SHA256
cc7016cb75f326fc46e6c343046f320557b6eaf2768cb2ec6798d5b2d0ae1e7d

SHA512
940378068785dc8137103c257bd18177f8622a9d7431c6e65d334af9abfbdf7bf8a5fe0367861401b5116fb9455dade79fca25849ed7640b31f9114551cb63ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
50f4b970ec5b55afb54701c25d8187e1

SHA1
cce934728bcc57ea387186413828c23f9a838232

SHA256
7d5cef13829938974af9de3d21bda465a3e89684b07e073fa13f6f8b36c2f243

SHA512
40caecba3c39d0e8db62a591923acb6b2b928b37b886a3378cc043d72763d824b38d2ea9430baa092d192e801b44fbf83e90244f5a49400d4e6849982270b813

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
789c0d86076ab16a210b12489cbc9927

SHA1
4f3dfa08c64f273ea8fc071ed3fafb09592fc268

SHA256
1c890baa927e7791e9feba0a4914c587bda563b6097c07b1532f6da19a6c77fb

SHA512
a43e5ab5d5aedd1e9054ce3866bf7a94d204d99daf6f3358db83f36efd1a994c92e716f58d4d50d1205fd45ec9d8b312a5ce043b8c77833ffb39054326651e34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
a117e4330eb19b7a507da6db0d174126

SHA1
0e884e1cc9961260c7bc0fa33ca88e45f7738ede

SHA256
05936e9ca3dc84b713db8378f1ba1b7800a8dc0050b0f11045161a8ea2e011d2

SHA512
9d69ab5ab885e9715dc8a6d9a782d729c2aadadd489a90776988fe75bbf3f35431313cfb6b8ca981b0fef4365ff1cc3d7a9196e6c35cebfb82a353792cef7a47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___A4H6_.txt

Filesize
1KB

MD5
1880779a8933441a9b62963c6eeaff4a

SHA1
7b75c157d3768940546c8f5bf05fd3fe9f0820da

SHA256
e6f61045c8651fca7659d104824b4542a5d24f23b171b957076a2e9e26f3c641

SHA512
6f1135548cd1dbaaf5a77f9e53f82bd3aebb168c7217cbcccaabd081faec0333a3281d3300f35c74eea448b0ade9c064ccdd5088376f415dcacb3c5729e0ae26

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1684_2069183217\c56df86b-28a8-4ae1-a36a-5fc77b44e28c.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___R7PMH_.hta

Filesize
75KB

MD5
344cf3c21802a6e45329cf892f3da55f

SHA1
324a7436eca379b2d81ed3344f7b688cf186799a

SHA256
a84d4d5e7cc0f14154bfa8d4c2fb8a9db3b13c457b8ef51c2ed9dac174693cc0

SHA512
f4b786ff3341076210d16aac23a95813ede84c088adcd90f8b49fb4a0f7d3a6d5c28e1977ebc8735c6be005bd3a572f41d9b894060395c3f964961dea8e3a038

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
6b49345774fd0cd9c4cd6457d5df693f

SHA1
8b98867954dbc163f7aa30e87aadeeae6999d303

SHA256
98f81ffb0d56a7e99a1b5904258bf6877e5bee48f35369097ce94b7ff86c2b14

SHA512
18184cc1e9dc835a64768ab620eb9fd11a14bd0043cb9aa8d20f650a678b26bfc023fcd75656ed1d42d599feda16202737c521b2fef32d29f6b426056bc8b9aa

Download Submit
C:\Users\Admin\Downloads\Ransomware.Cerber.zip

Filesize
215KB

MD5
5c571c69dd75c30f95fe280ca6c624e9

SHA1
b0610fc5d35478c4b95c450b66d2305155776b56

SHA256
416774bf62d9612d11d561d7e13203a3cbc352382a8e382ade3332e3077e096c

SHA512
8e7b9a4a514506d9b8e0f50cc521f82b5816d4d9c27da65e4245e925ec74ac8f93f8fe006acbab5fcfd4970573b11d7ea049cc79fb14ad12a3ab6383a1c200b2

Download Submit
\??\c:\users\admin\appdata\local\microsoft\office\16.0\excel.exe_rules.xml

Filesize
322KB

MD5
89f4a9c9e94617e7a9454bbc95a9f63c

SHA1
39a38a61449a2a61d384be8c428950b7c2cca04d

SHA256
c856d820cb6eed50d145c12a0e858769523b11fb09e8ff0af71c43ad92c53353

SHA512
8e56eceb8477ff6b9417ec48222588305b06124dbd69829a053dfb6ee87f9b8ca587f5a18abb477f165c70c058acf06c5d6632de76537c6d4bd064e3b871e84a

Download Submit
memory/5292-1376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5292-1368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5292-1388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5292-1389-0x0000000000440000-0x0000000000451000-memory.dmp

Filesize
68KB

Download
memory/5292-968-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5292-952-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5464-0-0x00007FFEC45F0000-0x00007FFEC4600000-memory.dmp

Filesize
64KB

Download
memory/5464-2-0x00007FFEC45F0000-0x00007FFEC4600000-memory.dmp

Filesize
64KB

Download
memory/5464-6-0x00007FFF04570000-0x00007FFF04765000-memory.dmp

Filesize
2.0MB

Download
memory/5464-13-0x00007FFEC2490000-0x00007FFEC24A0000-memory.dmp

Filesize
64KB

Download
memory/5464-9-0x00007FFF04570000-0x00007FFF04765000-memory.dmp

Filesize
2.0MB

Download
memory/5464-7-0x00007FFF04570000-0x00007FFF04765000-memory.dmp

Filesize
2.0MB

Download
memory/5464-8-0x00007FFF04570000-0x00007FFF04765000-memory.dmp

Filesize
2.0MB

Download
memory/5464-10-0x00007FFF04570000-0x00007FFF04765000-memory.dmp

Filesize
2.0MB

Download
memory/5464-4-0x00007FFEC45F0000-0x00007FFEC4600000-memory.dmp

Filesize
64KB

Download
memory/5464-5-0x00007FFEC45F0000-0x00007FFEC4600000-memory.dmp

Filesize
64KB

Download
memory/5464-11-0x00007FFF04570000-0x00007FFF04765000-memory.dmp

Filesize
2.0MB

Download
memory/5464-12-0x00007FFF04570000-0x00007FFF04765000-memory.dmp

Filesize
2.0MB

Download
memory/5464-16-0x00007FFF04570000-0x00007FFF04765000-memory.dmp

Filesize
2.0MB

Download
memory/5464-17-0x00007FFEC2490000-0x00007FFEC24A0000-memory.dmp

Filesize
64KB

Download
memory/5464-18-0x00007FFF04570000-0x00007FFF04765000-memory.dmp

Filesize
2.0MB

Download
memory/5464-31-0x00007FFF0460D000-0x00007FFF0460E000-memory.dmp

Filesize
4KB

Download
memory/5464-15-0x00007FFF04570000-0x00007FFF04765000-memory.dmp

Filesize
2.0MB

Download
memory/5464-14-0x00007FFF04570000-0x00007FFF04765000-memory.dmp

Filesize
2.0MB

Download
memory/5464-30-0x00007FFF04570000-0x00007FFF04765000-memory.dmp

Filesize
2.0MB

Download
memory/5464-36-0x00007FFF04570000-0x00007FFF04765000-memory.dmp

Filesize
2.0MB

Download
memory/5464-3-0x00007FFEC45F0000-0x00007FFEC4600000-memory.dmp

Filesize
64KB

Download
memory/5464-32-0x00007FFF04570000-0x00007FFF04765000-memory.dmp

Filesize
2.0MB

Download
memory/5464-1-0x00007FFF0460D000-0x00007FFF0460E000-memory.dmp

Filesize
4KB

Download