{"Win.Dropper.Cerber-9829555-1": {"bis": [{"bi": "pe-encrypted-section", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": ["TA0005", "T1027"]}, {"bi": "memory-execute-readwrite", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": ["TA0005", "TA0004", "T1055"]}, {"bi": "modified-executable", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": []}, {"bi": "created-executable-in-user-dir", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": []}, {"bi": "antivirus-service-flagged-artifact", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": []}, {"bi": "modified-file-in-user-dir", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": []}, {"bi": "pe-invalid-checksum", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": []}, {"bi": "cta-static-analyzer-malicious", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": []}, {"bi": "process-long-cmdline", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": ["TA0005", "T1027"]}, {"bi": "pe-uses-visual-basic", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": []}, {"bi": "deleted-submitted-file", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": ["TA0005", "T1070"]}, {"bi": "compound-vb-self-delete", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": []}, {"bi": "sample-launched-copy-of-self", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": ["TA0005", "T1202"]}, {"bi": "registry-autorun-key-data-dir", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": ["TA0003", "TA0004", "T1547"]}, {"bi": "registry-autorun-key-modified", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": ["TA0003", "TA0004", "T1547"]}, {"bi": "unsigned-roaming-execution", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": ["TA0005"]}, {"bi": "process-hollowing-detected", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": ["TA0005", "T1093"]}, {"bi": "malware-ransomware-cerber", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": ["TA0040", "T1486"]}, {"bi": "startup-folder-modification", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": ["TA0003", "TA0004", "T1547"]}, {"bi": "process-uses-localhost-traffic", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": ["TA0007", "T1049"]}, {"bi": "process-ping", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": ["TA0007", "T1049"]}, {"bi": "process-ping-localhost", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": ["TA0007", "T1016"]}, {"bi": "startup-folder-lnk-file", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": ["TA0003", "TA0004", "T1547"]}, {"bi": "process-taskkill", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": ["TA0005", "T1089"]}, {"bi": "lnk-no-creation-date", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": ["TA0002", "T1203"]}, {"bi": "registry-autorun-commandprocessor", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": ["TA0003", "TA0004", "T1547"]}, {"bi": "screen-saver-modified", "hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "mitre_attack_tags": ["TA0003", "TA0004", "T1546"]}], "category": "Dropper", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": false, "Threat Grid": true, "Umbrella": false, "WSA": false}, "description": "Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension \".cerber,\" although in more recent campaigns other file extensions are used.", "hashes": ["11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172", "4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace"], "iocs": {"domain": [{"hashes": ["11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d"], "host": "ipinfo[.]io"}], "file": [{"hashes": ["11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9", "443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172", "4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5", "60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b", "7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3", "99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c", "af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e", "c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d", "cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2", "ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace"], "path": "%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}"}, {"hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5"], "path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\Magnify.lnk"}, {"hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361", "5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5"], "path": "%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\Magnify.exe"}, {"hashes": ["11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e"], "path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\RMActivate_ssp.lnk"}, {"hashes": ["11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939", "bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e"], "path": "%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\RMActivate_ssp.exe"}, {"hashes": ["214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9"], "path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\autoconv.lnk"}, {"hashes": ["214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9"], "path": "%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\autoconv.exe"}, {"hashes": ["443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\forfiles.lnk"}, {"hashes": ["443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "path": "%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\forfiles.exe"}, {"hashes": ["c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d"], "path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\perfmon.lnk"}, {"hashes": ["c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d"], "path": "%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\perfmon.exe"}, {"hashes": ["af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803"], "path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\wimserv.lnk"}, {"hashes": ["af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803"], "path": "%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\wimserv.exe"}, {"hashes": ["cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2"], "path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\wuapp.lnk"}, {"hashes": ["cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2"], "path": "%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\wuapp.exe"}, {"hashes": ["ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace"], "path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\choice.lnk"}, {"hashes": ["ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace"], "path": "%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\choice.exe"}, {"hashes": ["7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3"], "path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\logman.lnk"}, {"hashes": ["7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3"], "path": "%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\logman.exe"}, {"hashes": ["60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b"], "path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\LocationNotifications.lnk"}, {"hashes": ["60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b"], "path": "%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\LocationNotifications.exe"}, {"hashes": ["99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c"], "path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\RunLegacyCPLElevated.lnk"}, {"hashes": ["99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c"], "path": "%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\RunLegacyCPLElevated.exe"}, {"hashes": ["cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2"], "path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ucsvc.lnk"}, {"hashes": ["af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803"], "path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\DevicePairingWizard.lnk"}, {"hashes": ["7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3"], "path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\TCPSVCS.lnk"}, {"hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361"], "path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mountvol.lnk"}, {"hashes": ["443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\LicensingUI.lnk"}, {"hashes": ["99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c"], "path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\DeviceProperties.lnk"}, {"hashes": ["5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5"], "path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\fsavailux.lnk"}, {"hashes": ["bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e"], "path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\waitfor.lnk"}, {"hashes": ["11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939"], "path": "%APPDATA%\\{887170FA-92BE-4CF1-DD8F-2216FA18A319}\\hostname.exe"}, {"hashes": ["c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d"], "path": "%APPDATA%\\{12B0E734-0A3F-E0CF-8C32-36DB672C6EB5}\\slserv.exe"}, {"hashes": ["214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9"], "path": "%APPDATA%\\{7BD8FF01-74DD-36BB-FD54-3909FE57EE35}\\rdsaddin.exe"}, {"hashes": ["443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172"], "path": "%APPDATA%\\{1FD29803-983A-5E8B-DFC9-0238F95C1579}\\LicensingUI.exe"}, {"hashes": ["60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b"], "path": "%APPDATA%\\{FC1B3494-3F77-29A3-9778-078E9D1EE6BC}\\quser.exe"}, {"hashes": ["4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361"], "path": "%APPDATA%\\{B4B52DEA-25DB-CD0B-5A84-A94BFE483F2B}\\mountvol.exe"}, {"hashes": ["af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803"], "path": "%APPDATA%\\{FC1B3494-3F77-29A3-9778-078E9D1EE6BC}\\DevicePairingWizard.exe"}, {"hashes": ["ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace"], "path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\DisplaySwitch.lnk"}, {"hashes": ["ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace"], "path": "%APPDATA%\\{1A2959DB-492A-DF3B-3242-978A3C764D06}\\DisplaySwitch.exe"}, {"hashes": ["7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3"], "path": "%APPDATA%\\{440AA403-3E21-9EF5-2C3B-8480113CFD64}\\TCPSVCS.EXE"}, {"hashes": ["cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2"], "path": "%APPDATA%\\{456A0FD3-C341-B969-2C66-BCDD812A808A}\\ucsvc.exe"}, {"hashes": ["5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5"], "path": "%APPDATA%\\{456A0FD3-C341-B969-2C66-BCDD812A808A}\\fsavailux.exe"}, {"hashes": ["99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c"], "path": "%APPDATA%\\{09CF6125-06F6-A622-4469-8F7DE1839348}\\DeviceProperties.exe"}, {"hashes": ["bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e"], "path": "%APPDATA%\\{35591FDB-67CE-86E4-6E04-F25FCAEED454}\\waitfor.exe"}, {"hashes": ["c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d"], "path": "