Overview

overview

10

Static

static

1

deception-...1).csv

windows10-2004-x64

10

Resubmissions

09/04/2025, 16:37

250409-t42q6sw1bs 10

09/04/2025, 15:52

250409-ta325swsht 10

Analysis

  • max time kernel
    899s
  • max time network
    894s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2025, 15:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    deception-rules (11).csv

  • Size

    8KB

  • MD5

    10fd331f3c4fd86806f8e32c38e912b6

  • SHA1

    85de90ff6468df5b1e3a701af4aa32bc3e6fc387

  • SHA256

    e53d33dac3813096d6630fd1b3af960e4d7264ffbce5d85d31783c36489d27cd

  • SHA512

    9bbfaf13263c8eea5b6950962568d59dbdb82e025e552432ceabc67d0d050437111b4a8d93d76244e5abe0e1dd1c85a0cfb34e5462e3256259a261fede19b1ed

  • SSDEEP

    192:Pz9wf2TEKKaVO+HpCpdHAAYoeytnTHznv4hDX:GNankcgQL

Score
10/10
cerberdefense_evasiondiscoverypersistenceprivilege_escalationransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___QLZQYMLV_.txt

Family

cerber

Ransom Note
CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/7C8E-DFB5-BF28-0446-9955 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/7C8E-DFB5-BF28-0446-9955 2. http://p27dokhpz2n7nvgr.14ewqv.top/7C8E-DFB5-BF28-0446-9955 3. http://p27dokhpz2n7nvgr.14vvrc.top/7C8E-DFB5-BF28-0446-9955 4. http://p27dokhpz2n7nvgr.129p1t.top/7C8E-DFB5-BF28-0446-9955 5. http://p27dokhpz2n7nvgr.1apgrn.top/7C8E-DFB5-BF28-0446-9955 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://p27dokhpz2n7nvgr.onion/7C8E-DFB5-BF28-0446-9955

http://p27dokhpz2n7nvgr.12hygy.top/7C8E-DFB5-BF28-0446-9955

http://p27dokhpz2n7nvgr.14ewqv.top/7C8E-DFB5-BF28-0446-9955

http://p27dokhpz2n7nvgr.14vvrc.top/7C8E-DFB5-BF28-0446-9955

http://p27dokhpz2n7nvgr.129p1t.top/7C8E-DFB5-BF28-0446-9955

http://p27dokhpz2n7nvgr.1apgrn.top/7C8E-DFB5-BF28-0446-9955

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___VEAOY8_.hta

Family

cerber

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>C&#069;&#82;BE&#82; &#82;ANSOMWA&#82;&#069;: Instructi&#111;ns</title> <HTA:APPLICATION APPLICATIONNAME="ZgMpaS79T" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">&#9745; English</a> <h1>C&#069;&#82;BE&#82; &#82;ANSOMWA&#82;&#069;</h1> <small id="title">Instructions</small> </div> <div id="languages"> <p>&#9745; Select your language</p> <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> <p>Can't yo<span class="h">2RuWJS8</span>u find the necessary files?<br>Is the c<span class="h">mA</span>ontent of your files not readable?</p> <p>It is normal be<span class="h">bZwq</span>cause the files' names and the data in your files have been encryp<span class="h">8ik0cDF</span>ted by "Ce<span class="h">N</span>r&#98;er&nbsp;Rans&#111;mware".</p> <p>It me<span class="h">Uaa7KBWVP</span>ans your files are NOT damage<span class="h">WzIhnlv</span>d! Your files are modified only. This modification is reversible.<br>F<span class="h">L</span>rom now it is not poss<span class="h">qGy</span>ible to use your files until they will be decrypted.</p> <p>The only way to dec<span class="h">dJuJMGKZKr</span>rypt your files safely is to &#98;uy the special decryption software "C<span class="h">oZmv</span>er&#98;er&nbsp;Decryptor".</p> <p>Any attempts to rest<span class="h">HedA</span>ore your files with the thir<span class="h">4oSW5TCZOA</span>d-party software will be fatal for your files!</p> <hr> <p class="w331208">You can proc<span class="h">3</span>eed with purchasing of the decryption softw<span class="h">feoCm</span>are at your personal page:</p> <p><span class="info"><span class="updating">Ple<span class="h">wWEyS</span>ase wait...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/7C8E-DFB5-BF28-0446-9955" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/7C8E-DFB5-BF28-0446-9955</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/7C8E-DFB5-BF28-0446-9955" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/7C8E-DFB5-BF28-0446-9955</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/7C8E-DFB5-BF28-0446-9955" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/7C8E-DFB5-BF28-0446-9955</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/7C8E-DFB5-BF28-0446-9955" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/7C8E-DFB5-BF28-0446-9955</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/7C8E-DFB5-BF28-0446-9955" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/7C8E-DFB5-BF28-0446-9955</a></span></p> <p>If t<span class="h">BCk3Rqky</span>his page cannot be opened &nbsp;<span class="button" onclick="return _url_upd_('en');">cli<span class="h">phwHNbLj</span>ck here</span>&nbsp; to get a new addr<span class="h">wlT8MWtkB</span>ess of your personal page.<br><br>If the addre<span class="h">6aiaAYMc1</span>ss of your personal page is the same as befo<span class="h">wAOQ5l</span>re after you tried to get a new one,<br>you c<span class="h">7</span>an try to get a new address in one hour.</p> <p>At th<span class="h">oMBv</span>is p&#097;ge you will receive the complete instr<span class="h">tqKn</span>uctions how to buy the decrypti<span class="h">UEmwMU</span>on software for restoring all your files.</p> <p>Also at this p&#097;ge you will be able to res<span class="h">oRw7E4cI5</span>tore any one file for free to be sure "Cer&#98;e<span class="h">Jy</span>r&nbsp;Decryptor" will help you.</p> <hr> <p>If your per<span class="h">sLKM</span>sonal page is not availa<span class="h">5</span>ble for a long period there is another way to open your personal page - insta<span class="h">d3x</span>llation and use of Tor&nbsp;Browser:</p> <ol> <li>run your Inte<span class="h">UmSfYA</span>rnet browser (if you do not know wh&#097;t it is run the Internet&nbsp;Explorer);</li> <li>ent<span class="h">8RKwLOeGuA</span>er or copy the &#097;ddress <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/downlo&#097;d/download-easy.html.en</a> into the address bar of your browser &#097;nd press ENTER;</li> <li>wait for the site load<span class="h">CsfeqRjEN</span>ing;</li> <li>on the site you will be offered to do<span class="h">eFvKa2jTWa</span>wnload Tor&nbsp;Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ru<span class="h">TuxLIvtoy</span>n Tor&nbsp;Browser;</li> <li>connect with the butt<span class="h">WJBlEx0w</span>on "Connect" (if you use the English version);</li> <li>a normal Internet bro<span class="h">l</span>wser window will be opened &#097;fter the initialization;</li> <li>type or copy the add<span class="h">Oi</span>ress <br><span class="info">http://p27dokhpz2n7nvgr.onion/7C8E-DFB5-BF28-0446-9955</span><br> in this browser address bar;</li> <li>pre<span class="h">UFzrmwu</span>ss ENTER;</li> <li>the site sho<span class="h">acmPP</span>uld be loaded; if for some reason the site is not lo<span class="h">79LDn0ASG</span>ading wait for a moment and try again.</li> </ol> <p>If you have any pr<span class="h">aLxeNy7vos</span>oblems during installation or use of Tor&nbsp;Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searc<span class="h">RZwQM</span>h bar "Install Tor&nbsp;Browser Windows" and you will find a lot of training videos about Tor&nbsp;Browser installation and use.</p> <hr> <p><strong>Addit<span class="h">QdYRPTV</span>ional information:</strong></p> <p>You will fi<span class="h">fSlNb4q</span>nd the instru<span class="h">6BSiWkp</span>cti&#111;ns ("*_READ_THIS_FILE_*.hta") for re<span class="h">BiLYNN5z</span>st&#111;ring y&#111;ur files in &#097;ny f<span class="h">t9Z</span>&#111;lder with your enc<span class="h">PQSql</span>rypted files.</p> <p>The instr<span class="h">0ZDZwXWZoO</span>ucti&#111;ns "*_READ_THIS_FILE_*.hta" in the f<span class="h">e7qyCf</span>&#111;lder<span class="h">pBxm</span>s with your encry<span class="h">nWhlT1ruKJ</span>pted files are not vir<span class="h">G8WJowxY</span>uses! The instruc<span class="h">uzC</span>tions "*_READ_THIS_FILE_*.hta" will he<span class="h">W</span>lp you to dec<span class="h">t5DL</span>rypt your files.</p> <p>Remembe<span class="h">m</span>r! The w&#111;rst si<span class="h">P</span>tu&#097;tion already happ<span class="h">LCFFiNid</span>ened and n&#111;w the future of your files de<span class="h">DSh3slth4</span>pends on your determ<span class="h">N</span>ination and speed of your actions.</p> </div> <div id="ar" style="direction: rtl;"> <p>لا يمكنك العثور على الملفات الضرورية؟<br>هل محتوى الملفات غير قابل للقراءة؟</p> <p>هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cer&#98;er&nbsp;Rans&#111;mware".</p> <p>وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا.<br>ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها.</p> <p>الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cer&#98;er&nbsp;Decryptor".</p> <p>إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك!</p> <hr> <p>يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية:</p> <p><span class="info"><span class="updating">أرجو الإنتظار...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/7C8E-DFB5-BF28-0446-9955" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/7C8E-DFB5-BF28-0446-9955</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/7C8E-DFB5-BF28-0446-9955" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/7C8E-DFB5-BF28-0446-9955</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/7C8E-DFB5-BF28-0446-9955" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/7C8E-DFB5-BF28-0446-9955</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/7C8E-DFB5-BF28-0446-9955" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/7C8E-DFB5-BF28-0446-9955</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/7C8E-DFB5-BF28-0446-9955" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/7C8E-DFB5-BF28-0446-9955</a></span></p> <p>في حالة تعذر فتح هذه الصفحة &nbsp;<span class="button" onclick="return _url_upd_('ar');">انقر هنا</span>&nbsp; لإنشاء عنوان جديد لصفحتك الشخصية.</p> <p>في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك.</p> <p>في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cer&#98;er&nbsp;Decryptor" سوف يساعدك.</p> <hr> <p>إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor:</p> <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان <br><span class="info">http://p27dokhpz2n7nvgr.onion/7C8E-DFB5-BF28-0446-9955</span><br> في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> <p>إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه.</p> <hr> <p><strong>معلومات إض<span class="h">t2Bw1GLRX3</span>افية:</strong></p> <p>س<span class="h">btsazD</span>وف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة.</p> <p>الإرش<span class="h">DV</span>ادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك.</p> <p>تذكر أن أسوأ مو<span class="h">CCqdt</span>قف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك.</p> </div> <div id="zh"> <p>您找不到所需的文件?<br>您文件的内容无法阅读?</p> <p>这是正常的,因为您文件的文件名和数据已经被“Cer&#98;er&nbsp;Rans&#111;mware”加密了。</p> <p>这意味着您的文件并没有损坏!您的文件只是被�

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Cerber family
    cerber
  • Contacts a large (1132) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    defense_evasion
  • Drops startup file 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 6 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 42 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\deception-rules (11).csv"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:6060
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3620
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffaafd6dcf8,0x7ffaafd6dd04,0x7ffaafd6dd10
      2⤵
        PID:4196
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1572,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2132 /prefetch:3
        2⤵
          PID:764
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2032,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2028 /prefetch:2
          2⤵
            PID:1768
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2384,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2544 /prefetch:8
            2⤵
              PID:3820
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3044,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3104 /prefetch:1
              2⤵
                PID:1156
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3036,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3084 /prefetch:1
                2⤵
                  PID:2200
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4244,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4264 /prefetch:2
                  2⤵
                    PID:6048
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4720,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4228 /prefetch:1
                    2⤵
                      PID:1472
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5392,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5400 /prefetch:8
                      2⤵
                        PID:3268
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5584,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5592 /prefetch:8
                        2⤵
                          PID:5408
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5596,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5620 /prefetch:8
                          2⤵
                            PID:3108
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5708,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5628 /prefetch:8
                            2⤵
                              PID:4444
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5400,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5432 /prefetch:8
                              2⤵
                                PID:4832
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5908,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5888 /prefetch:8
                                2⤵
                                  PID:2876
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5980,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5424 /prefetch:1
                                  2⤵
                                    PID:6100
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3904,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5644 /prefetch:1
                                    2⤵
                                      PID:5760
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3152,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3096 /prefetch:8
                                      2⤵
                                        PID:836
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=208,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3096 /prefetch:8
                                        2⤵
                                          PID:1156
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3652,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5868 /prefetch:8
                                          2⤵
                                            PID:4472
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3232,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6188 /prefetch:8
                                            2⤵
                                              PID:628
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=3104,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6240 /prefetch:2
                                              2⤵
                                                PID:1232
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5752,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4796 /prefetch:8
                                                2⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:4584
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=1088,i,13533424254620544219,7660830043002156001,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5884 /prefetch:8
                                                2⤵
                                                  PID:5116
                                              • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                                                "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                                                1⤵
                                                  PID:5868
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                                  1⤵
                                                    PID:2544
                                                  • C:\Windows\System32\rundll32.exe
                                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                    1⤵
                                                      PID:3088
                                                    • C:\Program Files\7-Zip\7zG.exe
                                                      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap30164:96:7zEvent25097
                                                      1⤵
                                                      • Suspicious use of FindShellTrayWindow
                                                      PID:1796
                                                    • C:\Users\Admin\Downloads\Ransomware.Cerber\cerber.exe
                                                      "C:\Users\Admin\Downloads\Ransomware.Cerber\cerber.exe"
                                                      1⤵
                                                      • Drops startup file
                                                      • Drops file in System32 directory
                                                      • Sets desktop wallpaper using registry
                                                      • Drops file in Program Files directory
                                                      • Drops file in Windows directory
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies registry class
                                                      PID:5964
                                                      • C:\Windows\SysWOW64\netsh.exe
                                                        C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
                                                        2⤵
                                                        • Modifies Windows Firewall
                                                        • Event Triggered Execution: Netsh Helper DLL
                                                        • System Location Discovery: System Language Discovery
                                                        PID:1680
                                                      • C:\Windows\SysWOW64\netsh.exe
                                                        C:\Windows\system32\netsh.exe advfirewall reset
                                                        2⤵
                                                        • Modifies Windows Firewall
                                                        • Event Triggered Execution: Netsh Helper DLL
                                                        • System Location Discovery: System Language Discovery
                                                        PID:5296
                                                      • C:\Windows\SysWOW64\mshta.exe
                                                        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___CTQH_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:3932
                                                      • C:\Windows\SysWOW64\NOTEPAD.EXE
                                                        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___0K2CVW30_.txt
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        • Opens file in notepad (likely ransom note)
                                                        PID:5788
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        "C:\Windows\system32\cmd.exe"
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:4860
                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                          taskkill /f /im "cerber.exe"
                                                          3⤵
                                                          • System Location Discovery: System Language Discovery
                                                          • Kills process with taskkill
                                                          PID:3696
                                                        • C:\Windows\SysWOW64\PING.EXE
                                                          ping -n 1 127.0.0.1
                                                          3⤵
                                                          • System Location Discovery: System Language Discovery
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:4820
                                                    • C:\Windows\SysWOW64\werfault.exe
                                                      werfault.exe /h /shared Global\f3081c59834e483499ab3d4325ee3b56 /t 3108 /p 3932
                                                      1⤵
                                                        PID:1596

                                                      Network

                                                      MITRE ATT&CK Enterprise v16

                                                      Reconnaissance

                                                      Resource Development

                                                      Initial Access

                                                      Execution

                                                      Persistence

                                                      Create or Modify System Process

                                                      1
                                                      T1543

                                                      Windows Service

                                                      1
                                                      T1543.003

                                                      Event Triggered Execution

                                                      1
                                                      T1546

                                                      Netsh Helper DLL

                                                      1
                                                      T1546.007

                                                      Privilege Escalation

                                                      Create or Modify System Process

                                                      1
                                                      T1543

                                                      Windows Service

                                                      1
                                                      T1543.003

                                                      Event Triggered Execution

                                                      1
                                                      T1546

                                                      Netsh Helper DLL

                                                      1
                                                      T1546.007

                                                      Defense Evasion

                                                      Impair Defenses

                                                      1
                                                      T1562

                                                      Disable or Modify System Firewall

                                                      1
                                                      T1562.004

                                                      Modify Registry

                                                      1
                                                      T1112

                                                      Credential Access

                                                      Discovery

                                                      Browser Information Discovery

                                                      1
                                                      T1217

                                                      Network Service Discovery

                                                      1
                                                      T1046

                                                      Query Registry

                                                      2
                                                      T1012

                                                      Remote System Discovery

                                                      1
                                                      T1018

                                                      System Information Discovery

                                                      2
                                                      T1082

                                                      System Location Discovery

                                                      1
                                                      T1614

                                                      System Language Discovery

                                                      1
                                                      T1614.001

                                                      System Network Configuration Discovery

                                                      1
                                                      T1016

                                                      Internet Connection Discovery

                                                      1
                                                      T1016.001

                                                      Lateral Movement

                                                      Collection

                                                      Command and Control

                                                      Web Service

                                                      1
                                                      T1102

                                                      Exfiltration

                                                      Impact

                                                      Defacement

                                                      1
                                                      T1491

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                                        Filesize

                                                        649B

                                                        MD5

                                                        70eec60ca87a2bd5313510e04f81a506

                                                        SHA1

                                                        aa569c58ad07c16b6dde3bfdd4cbf802efda3325

                                                        SHA256

                                                        13823e949278e219762fc66029511fdb182f420ab40f3d8a6ca695cdb07bca3c

                                                        SHA512

                                                        9e6f63c8fc9e9c864bc54e8a8b2f3f72b343e1d65aabf3ae59bb984a6b0e494cdfaa16e7a49b31523ec939b4b1d0a4967b2a300cc726823c13003ebb9e454d0c

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                        Filesize

                                                        2KB

                                                        MD5

                                                        9b59471b5517506fb4264673327e19da

                                                        SHA1

                                                        585a24a82a76516977c63247bbd9d46bce9dbb06

                                                        SHA256

                                                        3433b31551e57131229dfe221b3af8d971669119622ef36a74ee558b4731582f

                                                        SHA512

                                                        01e4ee3cda7ca82682459c3968c637e93a29f1c0100a8c9473937b02e3f2fb7b77f1ac29544336eb3e5a5f46be72b58bb2afd5bdb3680fa2bc25247fc8366213

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\dasherSettingSchema.json
                                                        Filesize

                                                        854B

                                                        MD5

                                                        4ec1df2da46182103d2ffc3b92d20ca5

                                                        SHA1

                                                        fb9d1ba3710cf31a87165317c6edc110e98994ce

                                                        SHA256

                                                        6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

                                                        SHA512

                                                        939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                                        Filesize

                                                        6KB

                                                        MD5

                                                        064459c6ef5b79e73b324c237e93f3b3

                                                        SHA1

                                                        d5a20a7b900a8877d3767e6f02715985ff12fd8d

                                                        SHA256

                                                        2dd758ffe02c77314fa69c3f28fb33cdfcfe715e947fc4aac4a0dc5700858331

                                                        SHA512

                                                        b1006e8f2bf51515801fe2ef9e7d407dcfd1f4bbe080f9877aea314a7b7c0391fed402f638ea277b9d1a39978263aa0b22f3c033269374ff8a4308b801b110f8

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                                        Filesize

                                                        6KB

                                                        MD5

                                                        1556959263e1ef5cca4d624a058c57c9

                                                        SHA1

                                                        267d67f28cff368074270f8052eccd578d773232

                                                        SHA256

                                                        326b0daa2d6a8f87f6d71c2bb2f228fb5d6ceaa3c7669e3f0cedc5c36f8d4b47

                                                        SHA512

                                                        5d801235062f04a883c57b2b132a1f4561828ef4c9961eecd0c1c8f557fe1680b88d684161313eecee45f80c8896319a77840273fe8b13dc50df4c4ab03c0f2c

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                                        Filesize

                                                        5KB

                                                        MD5

                                                        6b60727420ff066abe2eb6d5aad752e9

                                                        SHA1

                                                        2deb187f4675ddc30e258db1b58082e8b0b12df3

                                                        SHA256

                                                        bfc840979415376631807ecca4b98465f2dc13b7f5d99936fee440708b4d3a49

                                                        SHA512

                                                        505a4851c520629fd984446d5754bad6ad87a77f7597d035310f95b518acaacff7a0ab4b495d736e36daebb49900fe723c89b2340fbef16e5b911b732b5f7ce4

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                        Filesize

                                                        2B

                                                        MD5

                                                        d751713988987e9331980363e24189ce

                                                        SHA1

                                                        97d170e1550eee4afc0af065b78cda302a97674c

                                                        SHA256

                                                        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                        SHA512

                                                        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                        Filesize

                                                        1KB

                                                        MD5

                                                        f90ce569737ce8beeab70e98e2b90bb1

                                                        SHA1

                                                        fb16b09fda255fb55ea0e121535c4c0496462240

                                                        SHA256

                                                        c32809f535a5c7b29592568fca15b35121fb2af60f68209c46782caaa9fb171f

                                                        SHA512

                                                        5331f6a059e46234f1dde6686179cb60ad85608842e6797b769bfe0fca8245dc4ebd3b714fbba2051d18e414f64cdce4603caa37868b4d230fc0b9ef25ee9fd7

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                        Filesize

                                                        12KB

                                                        MD5

                                                        451ee7f90d3a7c3ba0f20165c5686332

                                                        SHA1

                                                        2eee999acd4958799a0b4bac85e0a199ca875f8a

                                                        SHA256

                                                        b176f086b6c8aaf37ce66fa5419e8e692306fefb06dd484c382573e943654dd8

                                                        SHA512

                                                        0bbe307b14e0aa094c151f68f6ee50b2f3fca8812e06445e129223aefc701288cb2bf1447527b0617c47aa6fe25e657bd80894ebb33910e2be748bce4b3b0f7e

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                        Filesize

                                                        11KB

                                                        MD5

                                                        f2f1b890e79f345f4d226c2a10bfa3e8

                                                        SHA1

                                                        b26b86f58ac776f76049bf0d39c8cd9fdda8fc4b

                                                        SHA256

                                                        b2b90dbc5ec01bf2b02ad95eb24da3d4ef01aca2c9ed82fe2b01f18cb41dee51

                                                        SHA512

                                                        fdaf0e6ae623069c5d16dd2866a1019290ef4e659ff9ff8230eca984abc0e1e5d4f99589c7475e4f2fb8bf0ceea4f616f6308bca89e9038c53086df2563197c6

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                        Filesize

                                                        12KB

                                                        MD5

                                                        00563b6dc52df18ae5689020a038b9cb

                                                        SHA1

                                                        bd054d4324fbda49403a3c043b98d473eb121177

                                                        SHA256

                                                        1cf56404b5164c2d0c871d9e7e22f5a64109956454abf7d1ed2992446f1b79f2

                                                        SHA512

                                                        66f5306c8c16f385bc63baf7395225c1557f80a23d6d983ad81feb63770ea3773d1af987a17e7731d3c8c4eaa715750e4a4bdfcef6718facd618476fd8c8e8ac

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                        Filesize

                                                        12KB

                                                        MD5

                                                        b1c3ab155f31517c62be22f12b38f493

                                                        SHA1

                                                        90e3c2518a6346c687b829e4b3e1f4484aeae791

                                                        SHA256

                                                        009788f98f243deec9d054d377d00e6db06037a8d97dfe7448e34e8c9fe93910

                                                        SHA512

                                                        dc5be9e15afe06184ee944dd1f0a26d9fab25b689e08ea97778073c0bcd2c3ea1f7568b6847a6cd3c784baca2d6e727fcfec7cf9af94839a382f3e0f94748b43

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                        Filesize

                                                        11KB

                                                        MD5

                                                        40bd48a13d5a771fe469c54ac49b46db

                                                        SHA1

                                                        70ceaae91a66b5c94fd20d0f16b81b1a091935d6

                                                        SHA256

                                                        463603fae488f4927f646aeeb06e2418337ca7ff27df147bed1a55b6a89378ae

                                                        SHA512

                                                        b3475211c65f65f82735d692cafe90ffefbe2e9a4ba2a2d543a5bbe5da97b0c792e59e3dcce20a82c76459f74d4b3d26e4eb328398b3e69b651995a463ff7033

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                                        Filesize

                                                        18KB

                                                        MD5

                                                        f56cda702c15ea3146845fe903415e67

                                                        SHA1

                                                        c3a49c470868a035a777480c97eafbd546108ab7

                                                        SHA256

                                                        0f9e6a34e36f208fa9cf2f709e547d3c53c0c181561f98896919857461e0f01f

                                                        SHA512

                                                        0b2e8007ff6acf7ad077829c963988207a0f35c28a7782c7adb970784e34dbc65ff76052a606120ea28cb1bed813213ba041c8d0ac029734adc509e8ae923d1a

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                                        Filesize

                                                        15KB

                                                        MD5

                                                        fc34df90266f2ea9253f34d6538e74b8

                                                        SHA1

                                                        7ce04a8a3321ef0e362831a818a877ad1037042e

                                                        SHA256

                                                        20e53bfff6fc7e040990f950f7eb9bf00a34875e6fcd6714cb23a833a5b3d332

                                                        SHA512

                                                        978792426b3b8bcb3a25be523160b0336261ac91f3ba3c128a22b9d4b072459e7d6061c75265fb9d66cc824b8e38eb67122643807f2af448390d764048a665e5

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
                                                        Filesize

                                                        72B

                                                        MD5

                                                        d66410007e59f32987d17e743243388d

                                                        SHA1

                                                        cc06b9844fe83f929d83d9a5a9365c6eeb8d8220

                                                        SHA256

                                                        c85a53906c060229071a0a7872be6497b1599c78fc539feca3f11923b9cba14a

                                                        SHA512

                                                        723abc2f06e4525b87edcd88f456d020ebd0f45391e65e81116969f5aa83250e9836b22677a01b9cc266b091bd731d663c7b7bb19231748464130d41cc9b7667

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
                                                        Filesize

                                                        72B

                                                        MD5

                                                        cee12e4ec8a5d88d0ff79ee26d0e960d

                                                        SHA1

                                                        b6b2693d3513ec4ba2a4ed3f8002138d6a1cb58c

                                                        SHA256

                                                        621eaedd3199270866b78f22d6ba0d19162e3e6123f9621f7bda111542a8a892

                                                        SHA512

                                                        4fc6f8d79c523135ab539bc23d63c80cf5417f3f96e5a89351817033887bd20e64ed1841e76bdf78916fced777988f3539827ad9d10b1605fd845b93c7cc375f

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d939.TMP
                                                        Filesize

                                                        48B

                                                        MD5

                                                        ede05bae13cd368346b7f94c411dc7b8

                                                        SHA1

                                                        463655ca6c74c29aae2f2e2ee0655d6a372fca42

                                                        SHA256

                                                        c44ff49acb88bccefad0d89ef54a06efd968c9d2f449762cb9a094747857d9aa

                                                        SHA512

                                                        19f09d765e9205707d769adcf49e124b8b566df036ed33de8cde2cd63d576fcb98c8dc4f3ac9f95de631b554d1b824ffd11639553b5996832ff2acde69d281c1

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                        Filesize

                                                        153KB

                                                        MD5

                                                        46618e3d7b3bfa131a232681aadfe0ba

                                                        SHA1

                                                        bd21ca9d5b73da891561e76db5cbaf97a7512e66

                                                        SHA256

                                                        eba817d006acbc9161fc5bf352131a17b0037e1f957215a1c61ba516de880dd7

                                                        SHA512

                                                        ebe13ff913e1904334a1b5f92b47d241dec02afee4a10bc6684476c3728951faa3706d1bc44c82fda5bb6a3f63eca7f2d2a49db110a9075c9a9accd9c51ec7e8

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                        Filesize

                                                        153KB

                                                        MD5

                                                        bfa463a620d44aa58a4f88ea6c1ed4cc

                                                        SHA1

                                                        387f39b51a2551a0dfaaf2f9778e9a092c453dc4

                                                        SHA256

                                                        10f9a3931e717ddc1e98572a662eb0064dbf2168251144d55a23a428662ac2c1

                                                        SHA512

                                                        1163184779d551f6a9051f626c93fdc3e383d0c7926fb9e9ad621ddbbbfcbe6562f984c9439e080b94fbef74f2cb75303fead9c0f8d375836be745ec5f140574

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                        Filesize

                                                        154KB

                                                        MD5

                                                        bf435b1a44f92a8841107d0b43285a3d

                                                        SHA1

                                                        d4dfc6a483d904b949ddd5967041e275712d0994

                                                        SHA256

                                                        fb52a4f52df46e3a4e94c4b6a592b54f601ba04d53acfe7920e3bb5553cafb87

                                                        SHA512

                                                        dab61c254fabbdba9c427286bbe05fe0687606a02a06f7f7b4f47f5ec1515726f4c2c02ac9782cc2e82b15e1b1428b4d98afccb5fe80409ef70cb5466b823c7c

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                        Filesize

                                                        80KB

                                                        MD5

                                                        3eb876113f516756c8053a529ebbdb02

                                                        SHA1

                                                        c365e633897d7a7960c9b2dc50ebccc156b90f53

                                                        SHA256

                                                        3a92fd3aefe215c484b1992f3095efdccfb7bf8f42cee5ebb33bb10281f763aa

                                                        SHA512

                                                        852845e4b4da8c318e2b054a62425e816033756164c595dde1bd2f8026582de17f39cd65b1b01d05e2c7edd5652845a8618a558556a3cf0343370998b816a5f1

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\scoped_dir3620_1673052324\85afe4ff-8511-4d17-974c-3dd1b63cea3b.tmp
                                                        Filesize

                                                        152KB

                                                        MD5

                                                        dd9bf8448d3ddcfd067967f01e8bf6d7

                                                        SHA1

                                                        d7829475b2bd6a3baa8fabfaf39af57c6439b35e

                                                        SHA256

                                                        fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

                                                        SHA512

                                                        65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___QLZQYMLV_.txt
                                                        Filesize

                                                        1KB

                                                        MD5

                                                        d6d29b3de0829b465ba5a68639770455

                                                        SHA1

                                                        95653aa9fc3a5aba5cf80d7b78b31776d064c4d2

                                                        SHA256

                                                        ef7695c967fba8631f65d781645864f3b0e9f3a6be372c1c502221e4d3811e7d

                                                        SHA512

                                                        85828c9b60ff98eb5cd31bd0d69dee9bf5366bb190823f83ff4d262278fe4de5a5bfe1d3fe4572252c209f5a482c918bcaeb753db4e9755d9707bb1b1e9fee7d

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___VEAOY8_.hta
                                                        Filesize

                                                        75KB

                                                        MD5

                                                        337f363611caad195c46a036f3f0b3d9

                                                        SHA1

                                                        0723d128e7684dbf51fd5dc3ad78d2a9ecb032f8

                                                        SHA256

                                                        16b1bf6c491aa49e78ee1683460128a653287b6da7384d4c4e93bd1a55affd08

                                                        SHA512

                                                        8671c4d97b295344f7312a1f9b2065235af3be8b4e74418ebf9cfee3dfca833ddf42203c81ba2c089d7b9f14bc37989a8a0450cdeec82c46379c217ba4a1d511

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
                                                        Filesize

                                                        1KB

                                                        MD5

                                                        d8e4009455d5e3975237ed4823bf3c6b

                                                        SHA1

                                                        6f70259fe625543a336fa7b37eedd9fc06193bd7

                                                        SHA256

                                                        d6cf8fe4207bd83a2d7aa78ed37a37e3bed7dfc83d8767c7ac1fe2325cbf2a7d

                                                        SHA512

                                                        d4f31f5293ed00fb2de9d1a5e1b1ad0e6e3fa73e4b83ce72ab013107ff214afa16c807fda65fa7da2f3a18d7a4879ae1237f7db36537d13d547c56df44962189

                                                        Download Submit

                                                      • C:\Users\Admin\Downloads\Ransomware.Cerber.zip
                                                        Filesize

                                                        215KB

                                                        MD5

                                                        5c571c69dd75c30f95fe280ca6c624e9

                                                        SHA1

                                                        b0610fc5d35478c4b95c450b66d2305155776b56

                                                        SHA256

                                                        416774bf62d9612d11d561d7e13203a3cbc352382a8e382ade3332e3077e096c

                                                        SHA512

                                                        8e7b9a4a514506d9b8e0f50cc521f82b5816d4d9c27da65e4245e925ec74ac8f93f8fe006acbab5fcfd4970573b11d7ea049cc79fb14ad12a3ab6383a1c200b2

                                                        Download Submit

                                                      • \??\c:\users\admin\appdata\local\microsoft\office\16.0\excel.exe_rules.xml
                                                        Filesize

                                                        324KB

                                                        MD5

                                                        41e074c9ad81f023b6c42c7d4699b78c

                                                        SHA1

                                                        5fd8a3df402cd32d91271be25efc0d892c39a374

                                                        SHA256

                                                        ebacd941a7c984e24e7a379581e32fe27a20aaac644ede2cff1767b0f8727836

                                                        SHA512

                                                        64fec5c9865ec0d09a9668b3e1b3eac2c5cbabb6187ab552914858a87d541d28cab44e7fe472bc189f89531c912170bfaaaff089a8d267161dadbc15533ce715

                                                        Download Submit

                                                      • memory/5964-1360-0x0000000000400000-0x0000000000435000-memory.dmp

                                                        Filesize

                                                        212KB

                                                        Download

                                                      • memory/5964-1331-0x0000000000400000-0x0000000000435000-memory.dmp

                                                        Filesize

                                                        212KB

                                                        Download

                                                      • memory/5964-1324-0x0000000000400000-0x0000000000435000-memory.dmp

                                                        Filesize

                                                        212KB

                                                        Download

                                                      • memory/5964-927-0x0000000000400000-0x0000000000435000-memory.dmp

                                                        Filesize

                                                        212KB

                                                        Download

                                                      • memory/5964-923-0x0000000000400000-0x0000000000435000-memory.dmp

                                                        Filesize

                                                        212KB

                                                        Download

                                                      • memory/6060-16-0x00007FFA91460000-0x00007FFA91470000-memory.dmp

                                                        Filesize

                                                        64KB

                                                        Download

                                                      • memory/6060-12-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

                                                        Filesize

                                                        2.0MB

                                                        Download

                                                      • memory/6060-18-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

                                                        Filesize

                                                        2.0MB

                                                        Download

                                                      • memory/6060-20-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

                                                        Filesize

                                                        2.0MB

                                                        Download

                                                      • memory/6060-21-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

                                                        Filesize

                                                        2.0MB

                                                        Download

                                                      • memory/6060-23-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

                                                        Filesize

                                                        2.0MB

                                                        Download

                                                      • memory/6060-15-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

                                                        Filesize

                                                        2.0MB

                                                        Download

                                                      • memory/6060-22-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

                                                        Filesize

                                                        2.0MB

                                                        Download

                                                      • memory/6060-36-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

                                                        Filesize

                                                        2.0MB

                                                        Download

                                                      • memory/6060-19-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

                                                        Filesize

                                                        2.0MB

                                                        Download

                                                      • memory/6060-8-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

                                                        Filesize

                                                        2.0MB

                                                        Download

                                                      • memory/6060-11-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

                                                        Filesize

                                                        2.0MB

                                                        Download

                                                      • memory/6060-14-0x00007FFA91460000-0x00007FFA91470000-memory.dmp

                                                        Filesize

                                                        64KB

                                                        Download

                                                      • memory/6060-17-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

                                                        Filesize

                                                        2.0MB

                                                        Download

                                                      • memory/6060-10-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

                                                        Filesize

                                                        2.0MB

                                                        Download

                                                      • memory/6060-35-0x00007FFAD3D8D000-0x00007FFAD3D8E000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/6060-7-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

                                                        Filesize

                                                        2.0MB

                                                        Download

                                                      • memory/6060-0-0x00007FFA93D70000-0x00007FFA93D80000-memory.dmp

                                                        Filesize

                                                        64KB

                                                        Download

                                                      • memory/6060-5-0x00007FFA93D70000-0x00007FFA93D80000-memory.dmp

                                                        Filesize

                                                        64KB

                                                        Download

                                                      • memory/6060-3-0x00007FFA93D70000-0x00007FFA93D80000-memory.dmp

                                                        Filesize

                                                        64KB

                                                        Download

                                                      • memory/6060-38-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

                                                        Filesize

                                                        2.0MB

                                                        Download

                                                      • memory/6060-13-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

                                                        Filesize

                                                        2.0MB

                                                        Download

                                                      • memory/6060-37-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

                                                        Filesize

                                                        2.0MB

                                                        Download

                                                      • memory/6060-9-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

                                                        Filesize

                                                        2.0MB

                                                        Download

                                                      • memory/6060-6-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

                                                        Filesize

                                                        2.0MB

                                                        Download

                                                      • memory/6060-4-0x00007FFA93D70000-0x00007FFA93D80000-memory.dmp

                                                        Filesize

                                                        64KB

                                                        Download

                                                      • memory/6060-2-0x00007FFA93D70000-0x00007FFA93D80000-memory.dmp

                                                        Filesize

                                                        64KB

                                                        Download

                                                      • memory/6060-1-0x00007FFAD3D8D000-0x00007FFAD3D8E000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download