Overview

overview

10

Static

static

3

2024-05-24...er.exe

windows7-x64

10

2024-05-24...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 16:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe

  • Size

    207KB

  • MD5

    ca78d1193cae9708942d3a1266947b3e

  • SHA1

    63d6f8ddc1dd9eab848cd71ce60d9ba9b3bd733e

  • SHA256

    ca3282264b6fb5a3aae171d76a8a27ad1e121e0b3dd682eb4d2e8ff03e2ace57

  • SHA512

    f6f39fb4d9ba81cc892c0de665e3d0d3b285f7b5cbea1bdb78ca21eb86dfa05a0c2ac93fc3ab985ee45cd15883d0347bb61615436e3a58f998106e7751784437

  • SSDEEP

    6144:634clT8CJLtVXW+BPGaDEoP/Siazel15:s4uT8CJpVm+BuaDj/Sps

Score
10/10
cerberdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber &#082;ansomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .upd_on { color: red; display: block; } .upd_off { display: none; float: left; } .tor { padding: 10px 0; text-align: center; } .url { margin-right: 5px; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!<br>You have turned to be a part of a big community "#C3rber Ransomware".</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">!Any attempts to get back your files with the third-party tools can be fatal for your encrypted files!</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files!</p> <p>When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><span class="upd_off" id="upd_1">Please wait...</span><a class="url" href="http://bqyjebfh25oellur.onion.to/CAFE-7ED9-B609-0046-1CCE" id="url_1" target="_blank">http://bqyjebfh25oellur.onion.to/CAFE-7ED9-B609-0046-1CCE</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li> <li><a href="http://bqyjebfh25oellur.onion.cab/CAFE-7ED9-B609-0046-1CCE" target="_blank">http://bqyjebfh25oellur.onion.cab/CAFE-7ED9-B609-0046-1CCE</a></li> <li><a href="http://bqyjebfh25oellur.onion.nu/CAFE-7ED9-B609-0046-1CCE" target="_blank">http://bqyjebfh25oellur.onion.nu/CAFE-7ED9-B609-0046-1CCE</a></li> <li><a href="http://bqyjebfh25oellur.onion.link/CAFE-7ED9-B609-0046-1CCE" target="_blank">http://bqyjebfh25oellur.onion.link/CAFE-7ED9-B609-0046-1CCE</a></li> <li><a href="http://bqyjebfh25oellur.tor2web.org/CAFE-7ED9-B609-0046-1CCE" target="_blank">http://bqyjebfh25oellur.tor2web.org/CAFE-7ED9-B609-0046-1CCE</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <span class="upd_off" id="upd_2">Please wait...</span><a class="url" href="http://bqyjebfh25oellur.onion.to/CAFE-7ED9-B609-0046-1CCE" id="url_2" target="_blank">http://bqyjebfh25oellur.onion.to/CAFE-7ED9-B609-0046-1CCE</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <span class="upd_off" id="upd_3">Please wait...</span><a class="url" href="http://bqyjebfh25oellur.onion.to/CAFE-7ED9-B609-0046-1CCE" id="url_3" target="_blank">http://bqyjebfh25oellur.onion.to/CAFE-7ED9-B609-0046-1CCE</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <span class="upd_off" id="upd_4">Please wait...</span><a class="url" href="http://bqyjebfh25oellur.onion.to/CAFE-7ED9-B609-0046-1CCE" id="url_4" target="_blank">http://bqyjebfh25oellur.onion.to/CAFE-7ED9-B609-0046-1CCE</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://bqyjebfh25oellur.onion/CAFE-7ED9-B609-0046-1CCE</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> <script> function getXMLHttpRequest() { if (window.XMLHttpRequest) { return new window.XMLHttpRequest; } else { try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } } function getUrlContent(url, callback) { var xhttp = getXMLHttpRequest(); if (xhttp) { xhttp.onreadystatechange = function() { if (xhttp.readyState == 4) { if (xhttp.status == 200) { return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null); } else { return callback(null, true); } } }; xhttp.open("GET", url + '?_=' + new Date().getTime(), true); xhttp.send(); } else { return callback(null, true); } } function server1(address, callback) { getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) { if (!error) { var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result); if (tx) { getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) { if (!error) { var address = /"vouts":\[{"address":"([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); } }); } function server2(address, callback) { getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) { if (!error) { var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result); if (tx) { getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) { if (!error) { var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); }

Extracted

Path

C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.txt

Ransom Note
C_E_R_B_E_R R_A_N_S_O_M_W_A_R_E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable??? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerb3r Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to return your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://bqyjebfh25oellur.onion.to/CAFE-7ED9-B609-0046-1CCE | | 2. http://bqyjebfh25oellur.onion.cab/CAFE-7ED9-B609-0046-1CCE | | 3. http://bqyjebfh25oellur.onion.nu/CAFE-7ED9-B609-0046-1CCE | | 4. http://bqyjebfh25oellur.onion.link/CAFE-7ED9-B609-0046-1CCE | | 5. http://bqyjebfh25oellur.tor2web.org/CAFE-7ED9-B609-0046-1CCE |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://bqyjebfh25oellur.onion.to/CAFE-7ED9-B609-0046-1CCE); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://bqyjebfh25oellur.onion.to/CAFE-7ED9-B609-0046-1CCE appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://bqyjebfh25oellur.onion.to/CAFE-7ED9-B609-0046-1CCE); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://bqyjebfh25oellur.onion/CAFE-7ED9-B609-0046-1CCE | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://bqyjebfh25oellur.onion.to/CAFE-7ED9-B609-0046-1CCE

http://bqyjebfh25oellur.onion.cab/CAFE-7ED9-B609-0046-1CCE

http://bqyjebfh25oellur.onion.nu/CAFE-7ED9-B609-0046-1CCE

http://bqyjebfh25oellur.onion.link/CAFE-7ED9-B609-0046-1CCE

http://bqyjebfh25oellur.tor2web.org/CAFE-7ED9-B609-0046-1CCE

http://bqyjebfh25oellur.onion/CAFE-7ED9-B609-0046-1CCE

Signatures

  • Cerber 2 IoCs

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Contacts a large (522) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe"
    1⤵
    • Cerber
    • Modifies visiblity of hidden/system files in Explorer
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\DeviceProperties.exe
      "C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\DeviceProperties.exe"
      2⤵
      • Cerber
      • Modifies visiblity of hidden/system files in Explorer
      • Adds policy Run key to start application
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\system32\vssadmin.exe
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2564
      • C:\Windows\system32\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:316
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1240
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:628
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1776
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1776 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3012
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1776 CREDAT:275458 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2200
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:1356
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:1692
          • C:\Windows\system32\cmd.exe
            /d /c taskkill /f /im "DeviceProperties.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\DeviceProperties.exe" > NUL
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2604
            • C:\Windows\system32\taskkill.exe
              taskkill /f /im "DeviceProperties.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2132
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:2248
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /f /im "2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe" > NUL
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:1808
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im "2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2520
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:2552
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3024
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3020
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3020 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2016
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
          PID:2720

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Windows Management Instrumentation

        1
        T1047

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Defense Evasion

        Hide Artifacts

        1
        T1564

        Hidden Files and Directories

        1
        T1564.001

        Modify Registry

        5
        T1112

        Indicator Removal

        2
        T1070

        File Deletion

        2
        T1070.004

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Network Service Discovery

        1
        T1046

        System Information Discovery

        2
        T1082

        Remote System Discovery

        1
        T1018

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Inhibit System Recovery

        3
        T1490

        Defacement

        1
        T1491

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          9a3b93e2214b2d156060e66d95a3191a

          SHA1

          79db77671b6381913bcc46e9075517d2afddce6e

          SHA256

          b598d5ed787ca3a75aa7ad2829e464b7aa5ce061341d01b52968c969219b8884

          SHA512

          d0acddf9ca5d42e2daeaf23726904b0aad41203cde861a64993b5e6893247d1659acf5580288ee47a7ed4cf3aa2f1df737b1b0dfaa76281edac51db915008f50

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          4b59cd5c263415acb88eb46e17084cb6

          SHA1

          ecb4df32bb2576dc6901a5f3aa549122e8885ee7

          SHA256

          b430c0f63b7358ff0e5161e875fde12690d15a9ae90225a6a3177977343be88a

          SHA512

          215656e3fce077d03f3b29d1d541d4f7357034f9f24122d1e09b1bec9358e06825e8e15d8481401ab61cd6cb745afa1da04a8cd84e4ee11016b85794d8bd8ddc

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          6f216fe069c5e4100f41e5db0e076bc2

          SHA1

          4f469e921ce963fe2216fb75fc7ae11bbe52cfb1

          SHA256

          dd8eb7b4c5d23e11e1e29fc5eed02a6a2005cea9d27b3d57c279a7512b6e5d76

          SHA512

          2ca2c9a1509200d4f04cda7a2f5f3aa1ea91841b52f1147be7b29435e07d8adfe345c1524f17dc515aea548447752873cf65711ec162ac4e5cf805a0853fb410

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          6e49eaea0da141a9a32a3d3823350e5e

          SHA1

          4aa9e5fa9f05c9d53c3b9bf37d5be411e689e758

          SHA256

          499f17684b8f08d21c2cf643e74cbfe9e094a91561d9204b2092fd58200d8236

          SHA512

          ff806d90e4bb219a419111e6dc1fc3dbb1aef76212d7ae901537c2a5bcf0da1c72b3ab44a23fcf629d8e9d7182c8bd8269c286de807f8c07985b8ee97d5c3138

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          49e246ba23e1757cfc88cdaaa3393495

          SHA1

          8e328ab4943454f1936ff0fa4d62c28144d23979

          SHA256

          41e854241f490fbfa95f9abcceb4137e70578fb100c0d58c2ab4f6584b18b6b3

          SHA512

          16e313bd7ce515ccc2771542e5c3124e2881c4a08e6076b6efca10b6e0b4b945453bc50b24e615e09b059b5d8d864f6ebf15a79db9d7a635efa9f6e185af7e6a

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          347235d9ffe8d3fbec9fdbb01359c9f4

          SHA1

          f05da2b240140b7e8473d957390b210c683a406e

          SHA256

          92a453d62a7507db51d182c117f13967b54999f3f2bb3ee495560fd8bb3864df

          SHA512

          254077a3f2892bc3eae82b439214f8127903cbe9ecf3535f8c5042ffb876a82b8bf57750556407409d9efee16e67da5a77f2c314fce4a6c1de5772ec4b68d853

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          5be0166b4ae670c72408776d767e1256

          SHA1

          0dbfeb200cef1030f1a6bb621b999252c75ba7a2

          SHA256

          293af01db2b1a9257467dbb628ecbd9dfedecb06f7939c661feb26ddd020db2e

          SHA512

          31141ea42983cfea6732e138df52635e0b6a58121b1676e3810eb0e5091ea6de485f2decd46e63efb0010e014fd625d9a3a76b542b6eded73afbd2fcf40a4f05

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          4eeef0678bde370c2f2cede3f9cb9bba

          SHA1

          45cf37329a4482f8ebfcb254078330f53d6d64ad

          SHA256

          7705115b158895fac53ade786c2480e6bb93badfc7d7b002c87294fb25dc7934

          SHA512

          b5130abbace1188dba36337c4d6ede681bc295de4afdeb5e7d1fcb0572944100f861642c0745928b918d71b5afbb6284619c7694967bdf8e84a70ba2c55a7cdb

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          2bb907a79cd7219eaeba41ca3d429f63

          SHA1

          16b5f6cd780ee2f66ff989ad77cd988e1556632b

          SHA256

          8ec9f2f4f18cf537ade6ed9ce4da1e9358b4e42bc2b4f9e407988c86b490c69e

          SHA512

          fb97e68a0c12422a5b190cba618652ea1e6ef0387e0f690572d0444a5ae37946cd3cc44e2f3b640950bb0dcb9bd35e166f8f10d9977b67a52f1a4901bf4bbb66

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          710e2734f2d71108ec121b2e6c1141e6

          SHA1

          4597d2b1a0220beba38c703635d92f623bee7e20

          SHA256

          a7efad9c051df2b976a48611d4e37f1f68b764f8f46112a290e53a9a1afc7644

          SHA512

          40a3f2f182bc498f69b7771b1977dec6ee2ec0dc31d6b481440d7760bfea135f7c17560e3eb19cda1a3c3533f7e46e0c6eecc3c58a9c4ea9ff14f694941f04ee

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          91fcc1d84e974224777c04c8124f3e5f

          SHA1

          93d9faee28aa787c056b87f9201290b263c5dbdd

          SHA256

          84642cf3dc53e60fe4f2418886052d885de5637131e0e92a69cbbebce47c0156

          SHA512

          0848d649717f2c1a73278303966149d813c41cd56e36aa7a72759b717caa13969efbc1f8c9a81b113235af0852dc72a58cc9f0034f7eb800478875d50e33f6b4

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          69a3a52e3f6c378a851b2047bdeb82a5

          SHA1

          000e9a86a419fee8b9ad138dc229487600ef3dcd

          SHA256

          17bfed1c2bac295d709bb89fd75607f7b747c0f0f43547201cf10f279b4ba483

          SHA512

          5bf9cdc29f51b02e576b40c484fb2814477653bb6915e3ad0b68c715005a7603443d99ae577b365d087140fea659fd2a642277c86ae4ef7a91cb062513641357

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          2017b0c5aa9fc9f3da48a54e5a225a71

          SHA1

          0341716e0323438e12251e8b5671b19542d5b3cc

          SHA256

          23369328edc8d125ba3971400b9e93c39fa6bdf07e8ac9405cac48f91120caff

          SHA512

          2589dd3fa45c05a33df0aa3bddd06155206651d401f865e8b1fad2c3250589a72a13106979641fa0695639d59295edbbcadce28a0b5588ec9072cd9fa766cd5d

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          8231acef80cb84565f38d21fbb455b1e

          SHA1

          1fa4d9f40e7f6af2fe65907b66171ee00cc5ddb4

          SHA256

          a572b11d1cc9fe74da3e8a45b3aa4598f17ee6c16808ecd87605c7f971f8eb63

          SHA512

          696bfc685be39ac5f462e8455f66117e15c665aefb51b4fda921789cccab1f587eead3fb8b3d29f42855b0a92ed73e52c17ca2bd1f91e6d661075d9722199c61

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          982a037a45623728924f6ba3215ff3fb

          SHA1

          cef24c81d567de63809526d2b919b8a47318311b

          SHA256

          43ed1616d5f88200ab86f6a0ac96fbf45e71dabd1ecd7cc30e4f6f5d123920ae

          SHA512

          8af4d9e26874a9a9376f83e195b3ce8f29c843c7807e805bc35993fe8fc458f04a6d8e2df1b5b8aad2e0c67b12621025d6448ae89918870ae863036792d0fd12

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          dc54a6fa5bc8c613d491c065a04cc801

          SHA1

          6a14725fa88886ec7be21c002957e8ff94c6fff4

          SHA256

          69b47c157776027ece4a3740203e48a3616da481fef57c856325b32c643e4023

          SHA512

          c2ca0b54b071f1a326042593c557a6ae486042ab8d7d52d5bb4763e6264419d26eac468b93271a1432d364b59e85daaec5f0bdf86662ca647967d7581ad24b3b

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          3aea5d79152247f45d844e40373b3ece

          SHA1

          9b24675ea3403d6419ac77914e795323e1453b61

          SHA256

          ec3da845ffbf567adc878a68a1d070c7dc5827a8400c6281cf6257d9a168cda6

          SHA512

          d142ea8f16639224c53b53282e8485c4d482f98f6877c4f87c6d2391fe87badf05004eeb67a85d0456ce499feaae8eaf9cbbb87eee8c7a2a18fbba5362f17d3f

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1B2FFF81-19EE-11EF-8D12-66A5A0AB388F}.dat
          Filesize

          5KB

          MD5

          e1b10cb662a910038293bbd1ed37dbd7

          SHA1

          12561f7e6cbfdc9785e22f58852bd35da0811ee3

          SHA256

          f3e410cbd0f522d3c33ab8eb4e4ebce78fa647eb6b76bb45da72c87b009131b6

          SHA512

          20c65e811eabd61fb1486c8e470b59dcc6198dff18ec7100b3c0cda17fabeb3d0ade47e0122c2332d8d2b7c5c6d87d15d796ea88fdeba58193d13a2c79900677

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IO0LJX84\json[1].json
          Filesize

          297B

          MD5

          bd0c2d8e6b0fe0de4a3869c02ee43a85

          SHA1

          21d8cca90ea489f88c2953156e6c3dec6945388b

          SHA256

          3a3e433f615f99529721ee766ad453b75d73fe213cb1ab74ccbb4c0e32dcd533

          SHA512

          496b1285f1e78d50dd79b05fa2cbf4a0b655bb3e4515646be3a7c7cdf85d7db6ab35577aa1e294f3d515d707ca341652b5ae9d4b22197e4480226ef8440294b6

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\CabE13C.tmp
          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\TarE19E.tmp
          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

          Download Submit
        • C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.html
          Filesize

          19KB

          MD5

          dd22b4619d4fcf7fa4667deae5bf1fe7

          SHA1

          3a62b56e8961a533061f269585c1107ddba91814

          SHA256

          e0e70f81793d7d454bfe337b698f281c3e6587e7145aa8d050f81927e798d13d

          SHA512

          87dec7b4d965a973a90df9e8ebbad9c75e11306e7d22832fe328f58e3b70a0991a401a906939400c33fba2d64d0343d0eb27f62e02ac250696b0a60f19e97045

          Download Submit
        • C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.txt
          Filesize

          10KB

          MD5

          72da06f7b65a373f0f75b8e37f148ce9

          SHA1

          ab04c9cde3aac041f3d9f8f63019fd611685bf23

          SHA256

          80310d9c187a3ab6c145c425d281dcddb5932f99b8f40c5db1fc0009f2334382

          SHA512

          f915697900b7a27646b2e597723b06bcf4cc9ad89e37a9cc8fb0fc4a3c16e1292b9b05dcb817795907bf0046bf1706d07efa7f9354f35183953a459388b45e0f

          Download Submit
        • C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.url
          Filesize

          88B

          MD5

          d539318642a35d521c8a7a39f03b373c

          SHA1

          21cd440b8789dd7e7323f97775d0ba65028ffbd6

          SHA256

          291158ee678fefcc9589ca23eb26b0e0af6e97181c93fb1f5a660027992a45c0

          SHA512

          0ac74a605f68aee290405288a8ddc499155955d8b08f3b913f9759de0abf7ef29d4ff8d8d15608840a801986418b75e80de01befaf664c58f69c89721984543a

          Download Submit
        • C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.vbs
          Filesize

          252B

          MD5

          18d46f5d8ebd3c7d6df0c7a8fd1bd64d

          SHA1

          aeb8407457434aabce2a4c2f95fe305c5303f929

          SHA256

          ceb35b75d397b07c84dfab3a28189e9431bdf80ec99ab65f9ccf01986bd4a8e9

          SHA512

          35fc759be0dee77eb9e39350873c24d9693cf6f370f171814e2ce6250ea814fea8a0887442ebae9077d6e9ff81ae7034faa0afcb080401a7d4ac384d2ba42d65

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\DeviceProperties.lnk
          Filesize

          1KB

          MD5

          abdb1a8d0d408dba2f98a0a4e9911246

          SHA1

          510eeb502ac7def8d95500ea9dc027c58a55de9c

          SHA256

          0b3736825d59497576b910a675f0a752d5c8a5c062093ea6fccf4d3cbfef7f9b

          SHA512

          00c9f9b3b86f524cb11a5a0890df83083e52fda2e5cafcc3c6c4bd3af57ed4f0d467a509814695b87e0e30a0087ae65e15973e06be093e51e1a926747feb185d

          Download Submit
        • \??\PIPE\samr
          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          Download Submit
        • \Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\DeviceProperties.exe
          Filesize

          207KB

          MD5

          ca78d1193cae9708942d3a1266947b3e

          SHA1

          63d6f8ddc1dd9eab848cd71ce60d9ba9b3bd733e

          SHA256

          ca3282264b6fb5a3aae171d76a8a27ad1e121e0b3dd682eb4d2e8ff03e2ace57

          SHA512

          f6f39fb4d9ba81cc892c0de665e3d0d3b285f7b5cbea1bdb78ca21eb86dfa05a0c2ac93fc3ab985ee45cd15883d0347bb61615436e3a58f998106e7751784437

          Download Submit
        • memory/2796-414-0x0000000003950000-0x0000000003952000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2796-18-0x0000000002230000-0x0000000002231000-memory.dmp
          Filesize

          4KB

          Download