Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 16:52
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe
-
Size
207KB
-
MD5
ca78d1193cae9708942d3a1266947b3e
-
SHA1
63d6f8ddc1dd9eab848cd71ce60d9ba9b3bd733e
-
SHA256
ca3282264b6fb5a3aae171d76a8a27ad1e121e0b3dd682eb4d2e8ff03e2ace57
-
SHA512
f6f39fb4d9ba81cc892c0de665e3d0d3b285f7b5cbea1bdb78ca21eb86dfa05a0c2ac93fc3ab985ee45cd15883d0347bb61615436e3a58f998106e7751784437
-
SSDEEP
6144:634clT8CJLtVXW+BPGaDEoP/Siazel15:s4uT8CJpVm+BuaDj/Sps
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.html
Extracted
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.txt
http://bqyjebfh25oellur.onion.to/CAFE-7ED9-B609-0046-1CCE
http://bqyjebfh25oellur.onion.cab/CAFE-7ED9-B609-0046-1CCE
http://bqyjebfh25oellur.onion.nu/CAFE-7ED9-B609-0046-1CCE
http://bqyjebfh25oellur.onion.link/CAFE-7ED9-B609-0046-1CCE
http://bqyjebfh25oellur.tor2web.org/CAFE-7ED9-B609-0046-1CCE
http://bqyjebfh25oellur.onion/CAFE-7ED9-B609-0046-1CCE
Signatures
-
Cerber 2 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
Processes:
2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exeDeviceProperties.exedescription ioc process Mutant opened shell.{A13FF115-2D96-1BB0-1314-4A8D4B889E10} 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe Mutant created shell.{A13FF115-2D96-1BB0-1314-4A8D4B889E10} DeviceProperties.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exeDeviceProperties.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" DeviceProperties.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1240 bcdedit.exe 628 bcdedit.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exeDeviceProperties.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\DeviceProperties.exe\"" 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\DeviceProperties.exe\"" DeviceProperties.exe -
Contacts a large (522) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1808 cmd.exe -
Drops startup file 2 IoCs
Processes:
2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exeDeviceProperties.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\DeviceProperties.lnk 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\DeviceProperties.lnk DeviceProperties.exe -
Executes dropped EXE 1 IoCs
Processes:
DeviceProperties.exepid process 2796 DeviceProperties.exe -
Loads dropped DLL 3 IoCs
Processes:
2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exeDeviceProperties.exepid process 836 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe 836 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe 2796 DeviceProperties.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exeDeviceProperties.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\DeviceProperties = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\DeviceProperties.exe\"" 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\DeviceProperties = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\DeviceProperties.exe\"" 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\DeviceProperties = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\DeviceProperties.exe\"" DeviceProperties.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\DeviceProperties = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\DeviceProperties.exe\"" DeviceProperties.exe -
Processes:
DeviceProperties.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DeviceProperties.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
DeviceProperties.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpC275.bmp" DeviceProperties.exe -
Drops file in Program Files directory 15 IoCs
Processes:
DeviceProperties.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE DeviceProperties.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.vbs DeviceProperties.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE DeviceProperties.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.html DeviceProperties.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.vbs DeviceProperties.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.url DeviceProperties.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE DeviceProperties.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE DeviceProperties.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml DeviceProperties.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.html DeviceProperties.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.txt DeviceProperties.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE DeviceProperties.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.txt DeviceProperties.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.url DeviceProperties.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote.ini DeviceProperties.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2564 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2520 taskkill.exe 2132 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
DeviceProperties.exe2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop DeviceProperties.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\DeviceProperties.exe\"" DeviceProperties.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\DeviceProperties.exe\"" 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe -
Processes:
IEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000fd245f5a0fe2ecbeb62231eae1ac38f60e48fda5d9bfd13bfe8231f15d48c78a000000000e8000000002000020000000829b6520358107d8e58907104ee38192dc34b7c751eb1a42910637a542cfba45900000003a86b2beb3504426a2d1afa34d9bff8876e7db3b8f7f5423f7e0b91d010c84acc1703d14181a613d7401e6f572ca1e26af7f4be067246aaa9514e958bcdaa4f74a69e9a1b5f8c9df180e12d82f640a3dcf295373cfc033ca9059d111a442fb1071e84e030f7e58e9ced587e91903aa5d054bfa9f7584dc7012e6e9dd818ebf18fe488c15f308475fb56500525becfbee4000000020b4cf3f7f9dc4d540299a54366c7386d0bd39e093f37a72a2d3e66b7544c8e931bf3b703e84117eddf8b9c822f9a2ae72deb892c5b0ef9c3adbeb354c1205f8 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 704df3ddfaadda01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422731459" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1B2FFF81-19EE-11EF-8D12-66A5A0AB388F} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1B398501-19EE-11EF-8D12-66A5A0AB388F} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b0000000002000000000010660000000100002000000042f4135baad4fdb8169e96b000042f417b79cd85a84f2c41b5ecad4872d52599000000000e8000000002000020000000a4eb87c508ec1aeaf6ecabdfb0a436541e3913f2e4dcaf550eaff8135105e3fd200000003d53f0c90a7d67798dd8189ec5347f04e8cb9882941a643aba40895e93d9a229400000008c197a767c6d711b37713301c2ee82c96a34c113d6d77b7086e501eb713e901661a39da755cb963c6d61657fb22b089b760bf06d2b314c6c0a8fef03bbca419e iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
DeviceProperties.exepid process 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe 2796 DeviceProperties.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exetaskkill.exeDeviceProperties.exevssvc.exewmic.exetaskkill.exedescription pid process Token: SeDebugPrivilege 836 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe Token: SeDebugPrivilege 2520 taskkill.exe Token: SeDebugPrivilege 2796 DeviceProperties.exe Token: SeBackupPrivilege 3024 vssvc.exe Token: SeRestorePrivilege 3024 vssvc.exe Token: SeAuditPrivilege 3024 vssvc.exe Token: SeIncreaseQuotaPrivilege 316 wmic.exe Token: SeSecurityPrivilege 316 wmic.exe Token: SeTakeOwnershipPrivilege 316 wmic.exe Token: SeLoadDriverPrivilege 316 wmic.exe Token: SeSystemProfilePrivilege 316 wmic.exe Token: SeSystemtimePrivilege 316 wmic.exe Token: SeProfSingleProcessPrivilege 316 wmic.exe Token: SeIncBasePriorityPrivilege 316 wmic.exe Token: SeCreatePagefilePrivilege 316 wmic.exe Token: SeBackupPrivilege 316 wmic.exe Token: SeRestorePrivilege 316 wmic.exe Token: SeShutdownPrivilege 316 wmic.exe Token: SeDebugPrivilege 316 wmic.exe Token: SeSystemEnvironmentPrivilege 316 wmic.exe Token: SeRemoteShutdownPrivilege 316 wmic.exe Token: SeUndockPrivilege 316 wmic.exe Token: SeManageVolumePrivilege 316 wmic.exe Token: 33 316 wmic.exe Token: 34 316 wmic.exe Token: 35 316 wmic.exe Token: SeIncreaseQuotaPrivilege 316 wmic.exe Token: SeSecurityPrivilege 316 wmic.exe Token: SeTakeOwnershipPrivilege 316 wmic.exe Token: SeLoadDriverPrivilege 316 wmic.exe Token: SeSystemProfilePrivilege 316 wmic.exe Token: SeSystemtimePrivilege 316 wmic.exe Token: SeProfSingleProcessPrivilege 316 wmic.exe Token: SeIncBasePriorityPrivilege 316 wmic.exe Token: SeCreatePagefilePrivilege 316 wmic.exe Token: SeBackupPrivilege 316 wmic.exe Token: SeRestorePrivilege 316 wmic.exe Token: SeShutdownPrivilege 316 wmic.exe Token: SeDebugPrivilege 316 wmic.exe Token: SeSystemEnvironmentPrivilege 316 wmic.exe Token: SeRemoteShutdownPrivilege 316 wmic.exe Token: SeUndockPrivilege 316 wmic.exe Token: SeManageVolumePrivilege 316 wmic.exe Token: 33 316 wmic.exe Token: 34 316 wmic.exe Token: 35 316 wmic.exe Token: SeDebugPrivilege 2132 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
iexplore.exeiexplore.exepid process 1776 iexplore.exe 3020 iexplore.exe 1776 iexplore.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 1776 iexplore.exe 1776 iexplore.exe 3020 iexplore.exe 3020 iexplore.exe 1776 iexplore.exe 1776 iexplore.exe 3012 IEXPLORE.EXE 3012 IEXPLORE.EXE 2016 IEXPLORE.EXE 2016 IEXPLORE.EXE 2200 IEXPLORE.EXE 2200 IEXPLORE.EXE 2200 IEXPLORE.EXE 2200 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.execmd.exeDeviceProperties.exeiexplore.exeiexplore.execmd.exedescription pid process target process PID 836 wrote to memory of 2796 836 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe DeviceProperties.exe PID 836 wrote to memory of 2796 836 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe DeviceProperties.exe PID 836 wrote to memory of 2796 836 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe DeviceProperties.exe PID 836 wrote to memory of 2796 836 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe DeviceProperties.exe PID 836 wrote to memory of 1808 836 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe cmd.exe PID 836 wrote to memory of 1808 836 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe cmd.exe PID 836 wrote to memory of 1808 836 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe cmd.exe PID 836 wrote to memory of 1808 836 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe cmd.exe PID 1808 wrote to memory of 2520 1808 cmd.exe taskkill.exe PID 1808 wrote to memory of 2520 1808 cmd.exe taskkill.exe PID 1808 wrote to memory of 2520 1808 cmd.exe taskkill.exe PID 1808 wrote to memory of 2520 1808 cmd.exe taskkill.exe PID 1808 wrote to memory of 2552 1808 cmd.exe PING.EXE PID 1808 wrote to memory of 2552 1808 cmd.exe PING.EXE PID 1808 wrote to memory of 2552 1808 cmd.exe PING.EXE PID 1808 wrote to memory of 2552 1808 cmd.exe PING.EXE PID 2796 wrote to memory of 2564 2796 DeviceProperties.exe vssadmin.exe PID 2796 wrote to memory of 2564 2796 DeviceProperties.exe vssadmin.exe PID 2796 wrote to memory of 2564 2796 DeviceProperties.exe vssadmin.exe PID 2796 wrote to memory of 2564 2796 DeviceProperties.exe vssadmin.exe PID 2796 wrote to memory of 316 2796 DeviceProperties.exe wmic.exe PID 2796 wrote to memory of 316 2796 DeviceProperties.exe wmic.exe PID 2796 wrote to memory of 316 2796 DeviceProperties.exe wmic.exe PID 2796 wrote to memory of 316 2796 DeviceProperties.exe wmic.exe PID 2796 wrote to memory of 1240 2796 DeviceProperties.exe bcdedit.exe PID 2796 wrote to memory of 1240 2796 DeviceProperties.exe bcdedit.exe PID 2796 wrote to memory of 1240 2796 DeviceProperties.exe bcdedit.exe PID 2796 wrote to memory of 1240 2796 DeviceProperties.exe bcdedit.exe PID 2796 wrote to memory of 628 2796 DeviceProperties.exe bcdedit.exe PID 2796 wrote to memory of 628 2796 DeviceProperties.exe bcdedit.exe PID 2796 wrote to memory of 628 2796 DeviceProperties.exe bcdedit.exe PID 2796 wrote to memory of 628 2796 DeviceProperties.exe bcdedit.exe PID 2796 wrote to memory of 1776 2796 DeviceProperties.exe iexplore.exe PID 2796 wrote to memory of 1776 2796 DeviceProperties.exe iexplore.exe PID 2796 wrote to memory of 1776 2796 DeviceProperties.exe iexplore.exe PID 2796 wrote to memory of 1776 2796 DeviceProperties.exe iexplore.exe PID 2796 wrote to memory of 1356 2796 DeviceProperties.exe NOTEPAD.EXE PID 2796 wrote to memory of 1356 2796 DeviceProperties.exe NOTEPAD.EXE PID 2796 wrote to memory of 1356 2796 DeviceProperties.exe NOTEPAD.EXE PID 2796 wrote to memory of 1356 2796 DeviceProperties.exe NOTEPAD.EXE PID 1776 wrote to memory of 3012 1776 iexplore.exe IEXPLORE.EXE PID 1776 wrote to memory of 3012 1776 iexplore.exe IEXPLORE.EXE PID 1776 wrote to memory of 3012 1776 iexplore.exe IEXPLORE.EXE PID 1776 wrote to memory of 3012 1776 iexplore.exe IEXPLORE.EXE PID 3020 wrote to memory of 2016 3020 iexplore.exe IEXPLORE.EXE PID 3020 wrote to memory of 2016 3020 iexplore.exe IEXPLORE.EXE PID 3020 wrote to memory of 2016 3020 iexplore.exe IEXPLORE.EXE PID 3020 wrote to memory of 2016 3020 iexplore.exe IEXPLORE.EXE PID 1776 wrote to memory of 2200 1776 iexplore.exe IEXPLORE.EXE PID 1776 wrote to memory of 2200 1776 iexplore.exe IEXPLORE.EXE PID 1776 wrote to memory of 2200 1776 iexplore.exe IEXPLORE.EXE PID 1776 wrote to memory of 2200 1776 iexplore.exe IEXPLORE.EXE PID 2796 wrote to memory of 1692 2796 DeviceProperties.exe WScript.exe PID 2796 wrote to memory of 1692 2796 DeviceProperties.exe WScript.exe PID 2796 wrote to memory of 1692 2796 DeviceProperties.exe WScript.exe PID 2796 wrote to memory of 1692 2796 DeviceProperties.exe WScript.exe PID 2796 wrote to memory of 2604 2796 DeviceProperties.exe cmd.exe PID 2796 wrote to memory of 2604 2796 DeviceProperties.exe cmd.exe PID 2796 wrote to memory of 2604 2796 DeviceProperties.exe cmd.exe PID 2796 wrote to memory of 2604 2796 DeviceProperties.exe cmd.exe PID 2604 wrote to memory of 2132 2604 cmd.exe taskkill.exe PID 2604 wrote to memory of 2132 2604 cmd.exe taskkill.exe PID 2604 wrote to memory of 2132 2604 cmd.exe taskkill.exe PID 2604 wrote to memory of 2248 2604 cmd.exe PING.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe"1⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\DeviceProperties.exe"C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\DeviceProperties.exe"2⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1776 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1776 CREDAT:275458 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /f /im "DeviceProperties.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\DeviceProperties.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im "DeviceProperties.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /f /im "2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe" > NUL2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3020 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Indicator Removal
2File Deletion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD59a3b93e2214b2d156060e66d95a3191a
SHA179db77671b6381913bcc46e9075517d2afddce6e
SHA256b598d5ed787ca3a75aa7ad2829e464b7aa5ce061341d01b52968c969219b8884
SHA512d0acddf9ca5d42e2daeaf23726904b0aad41203cde861a64993b5e6893247d1659acf5580288ee47a7ed4cf3aa2f1df737b1b0dfaa76281edac51db915008f50
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD54b59cd5c263415acb88eb46e17084cb6
SHA1ecb4df32bb2576dc6901a5f3aa549122e8885ee7
SHA256b430c0f63b7358ff0e5161e875fde12690d15a9ae90225a6a3177977343be88a
SHA512215656e3fce077d03f3b29d1d541d4f7357034f9f24122d1e09b1bec9358e06825e8e15d8481401ab61cd6cb745afa1da04a8cd84e4ee11016b85794d8bd8ddc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD56f216fe069c5e4100f41e5db0e076bc2
SHA14f469e921ce963fe2216fb75fc7ae11bbe52cfb1
SHA256dd8eb7b4c5d23e11e1e29fc5eed02a6a2005cea9d27b3d57c279a7512b6e5d76
SHA5122ca2c9a1509200d4f04cda7a2f5f3aa1ea91841b52f1147be7b29435e07d8adfe345c1524f17dc515aea548447752873cf65711ec162ac4e5cf805a0853fb410
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD56e49eaea0da141a9a32a3d3823350e5e
SHA14aa9e5fa9f05c9d53c3b9bf37d5be411e689e758
SHA256499f17684b8f08d21c2cf643e74cbfe9e094a91561d9204b2092fd58200d8236
SHA512ff806d90e4bb219a419111e6dc1fc3dbb1aef76212d7ae901537c2a5bcf0da1c72b3ab44a23fcf629d8e9d7182c8bd8269c286de807f8c07985b8ee97d5c3138
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD549e246ba23e1757cfc88cdaaa3393495
SHA18e328ab4943454f1936ff0fa4d62c28144d23979
SHA25641e854241f490fbfa95f9abcceb4137e70578fb100c0d58c2ab4f6584b18b6b3
SHA51216e313bd7ce515ccc2771542e5c3124e2881c4a08e6076b6efca10b6e0b4b945453bc50b24e615e09b059b5d8d864f6ebf15a79db9d7a635efa9f6e185af7e6a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5347235d9ffe8d3fbec9fdbb01359c9f4
SHA1f05da2b240140b7e8473d957390b210c683a406e
SHA25692a453d62a7507db51d182c117f13967b54999f3f2bb3ee495560fd8bb3864df
SHA512254077a3f2892bc3eae82b439214f8127903cbe9ecf3535f8c5042ffb876a82b8bf57750556407409d9efee16e67da5a77f2c314fce4a6c1de5772ec4b68d853
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD55be0166b4ae670c72408776d767e1256
SHA10dbfeb200cef1030f1a6bb621b999252c75ba7a2
SHA256293af01db2b1a9257467dbb628ecbd9dfedecb06f7939c661feb26ddd020db2e
SHA51231141ea42983cfea6732e138df52635e0b6a58121b1676e3810eb0e5091ea6de485f2decd46e63efb0010e014fd625d9a3a76b542b6eded73afbd2fcf40a4f05
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD54eeef0678bde370c2f2cede3f9cb9bba
SHA145cf37329a4482f8ebfcb254078330f53d6d64ad
SHA2567705115b158895fac53ade786c2480e6bb93badfc7d7b002c87294fb25dc7934
SHA512b5130abbace1188dba36337c4d6ede681bc295de4afdeb5e7d1fcb0572944100f861642c0745928b918d71b5afbb6284619c7694967bdf8e84a70ba2c55a7cdb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD52bb907a79cd7219eaeba41ca3d429f63
SHA116b5f6cd780ee2f66ff989ad77cd988e1556632b
SHA2568ec9f2f4f18cf537ade6ed9ce4da1e9358b4e42bc2b4f9e407988c86b490c69e
SHA512fb97e68a0c12422a5b190cba618652ea1e6ef0387e0f690572d0444a5ae37946cd3cc44e2f3b640950bb0dcb9bd35e166f8f10d9977b67a52f1a4901bf4bbb66
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5710e2734f2d71108ec121b2e6c1141e6
SHA14597d2b1a0220beba38c703635d92f623bee7e20
SHA256a7efad9c051df2b976a48611d4e37f1f68b764f8f46112a290e53a9a1afc7644
SHA51240a3f2f182bc498f69b7771b1977dec6ee2ec0dc31d6b481440d7760bfea135f7c17560e3eb19cda1a3c3533f7e46e0c6eecc3c58a9c4ea9ff14f694941f04ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD591fcc1d84e974224777c04c8124f3e5f
SHA193d9faee28aa787c056b87f9201290b263c5dbdd
SHA25684642cf3dc53e60fe4f2418886052d885de5637131e0e92a69cbbebce47c0156
SHA5120848d649717f2c1a73278303966149d813c41cd56e36aa7a72759b717caa13969efbc1f8c9a81b113235af0852dc72a58cc9f0034f7eb800478875d50e33f6b4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD569a3a52e3f6c378a851b2047bdeb82a5
SHA1000e9a86a419fee8b9ad138dc229487600ef3dcd
SHA25617bfed1c2bac295d709bb89fd75607f7b747c0f0f43547201cf10f279b4ba483
SHA5125bf9cdc29f51b02e576b40c484fb2814477653bb6915e3ad0b68c715005a7603443d99ae577b365d087140fea659fd2a642277c86ae4ef7a91cb062513641357
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD52017b0c5aa9fc9f3da48a54e5a225a71
SHA10341716e0323438e12251e8b5671b19542d5b3cc
SHA25623369328edc8d125ba3971400b9e93c39fa6bdf07e8ac9405cac48f91120caff
SHA5122589dd3fa45c05a33df0aa3bddd06155206651d401f865e8b1fad2c3250589a72a13106979641fa0695639d59295edbbcadce28a0b5588ec9072cd9fa766cd5d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD58231acef80cb84565f38d21fbb455b1e
SHA11fa4d9f40e7f6af2fe65907b66171ee00cc5ddb4
SHA256a572b11d1cc9fe74da3e8a45b3aa4598f17ee6c16808ecd87605c7f971f8eb63
SHA512696bfc685be39ac5f462e8455f66117e15c665aefb51b4fda921789cccab1f587eead3fb8b3d29f42855b0a92ed73e52c17ca2bd1f91e6d661075d9722199c61
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5982a037a45623728924f6ba3215ff3fb
SHA1cef24c81d567de63809526d2b919b8a47318311b
SHA25643ed1616d5f88200ab86f6a0ac96fbf45e71dabd1ecd7cc30e4f6f5d123920ae
SHA5128af4d9e26874a9a9376f83e195b3ce8f29c843c7807e805bc35993fe8fc458f04a6d8e2df1b5b8aad2e0c67b12621025d6448ae89918870ae863036792d0fd12
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5dc54a6fa5bc8c613d491c065a04cc801
SHA16a14725fa88886ec7be21c002957e8ff94c6fff4
SHA25669b47c157776027ece4a3740203e48a3616da481fef57c856325b32c643e4023
SHA512c2ca0b54b071f1a326042593c557a6ae486042ab8d7d52d5bb4763e6264419d26eac468b93271a1432d364b59e85daaec5f0bdf86662ca647967d7581ad24b3b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD53aea5d79152247f45d844e40373b3ece
SHA19b24675ea3403d6419ac77914e795323e1453b61
SHA256ec3da845ffbf567adc878a68a1d070c7dc5827a8400c6281cf6257d9a168cda6
SHA512d142ea8f16639224c53b53282e8485c4d482f98f6877c4f87c6d2391fe87badf05004eeb67a85d0456ce499feaae8eaf9cbbb87eee8c7a2a18fbba5362f17d3f
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1B2FFF81-19EE-11EF-8D12-66A5A0AB388F}.datFilesize
5KB
MD5e1b10cb662a910038293bbd1ed37dbd7
SHA112561f7e6cbfdc9785e22f58852bd35da0811ee3
SHA256f3e410cbd0f522d3c33ab8eb4e4ebce78fa647eb6b76bb45da72c87b009131b6
SHA51220c65e811eabd61fb1486c8e470b59dcc6198dff18ec7100b3c0cda17fabeb3d0ade47e0122c2332d8d2b7c5c6d87d15d796ea88fdeba58193d13a2c79900677
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IO0LJX84\json[1].jsonFilesize
297B
MD5bd0c2d8e6b0fe0de4a3869c02ee43a85
SHA121d8cca90ea489f88c2953156e6c3dec6945388b
SHA2563a3e433f615f99529721ee766ad453b75d73fe213cb1ab74ccbb4c0e32dcd533
SHA512496b1285f1e78d50dd79b05fa2cbf4a0b655bb3e4515646be3a7c7cdf85d7db6ab35577aa1e294f3d515d707ca341652b5ae9d4b22197e4480226ef8440294b6
-
C:\Users\Admin\AppData\Local\Temp\CabE13C.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\TarE19E.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.htmlFilesize
19KB
MD5dd22b4619d4fcf7fa4667deae5bf1fe7
SHA13a62b56e8961a533061f269585c1107ddba91814
SHA256e0e70f81793d7d454bfe337b698f281c3e6587e7145aa8d050f81927e798d13d
SHA51287dec7b4d965a973a90df9e8ebbad9c75e11306e7d22832fe328f58e3b70a0991a401a906939400c33fba2d64d0343d0eb27f62e02ac250696b0a60f19e97045
-
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.txtFilesize
10KB
MD572da06f7b65a373f0f75b8e37f148ce9
SHA1ab04c9cde3aac041f3d9f8f63019fd611685bf23
SHA25680310d9c187a3ab6c145c425d281dcddb5932f99b8f40c5db1fc0009f2334382
SHA512f915697900b7a27646b2e597723b06bcf4cc9ad89e37a9cc8fb0fc4a3c16e1292b9b05dcb817795907bf0046bf1706d07efa7f9354f35183953a459388b45e0f
-
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.urlFilesize
88B
MD5d539318642a35d521c8a7a39f03b373c
SHA121cd440b8789dd7e7323f97775d0ba65028ffbd6
SHA256291158ee678fefcc9589ca23eb26b0e0af6e97181c93fb1f5a660027992a45c0
SHA5120ac74a605f68aee290405288a8ddc499155955d8b08f3b913f9759de0abf7ef29d4ff8d8d15608840a801986418b75e80de01befaf664c58f69c89721984543a
-
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.vbsFilesize
252B
MD518d46f5d8ebd3c7d6df0c7a8fd1bd64d
SHA1aeb8407457434aabce2a4c2f95fe305c5303f929
SHA256ceb35b75d397b07c84dfab3a28189e9431bdf80ec99ab65f9ccf01986bd4a8e9
SHA51235fc759be0dee77eb9e39350873c24d9693cf6f370f171814e2ce6250ea814fea8a0887442ebae9077d6e9ff81ae7034faa0afcb080401a7d4ac384d2ba42d65
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\DeviceProperties.lnkFilesize
1KB
MD5abdb1a8d0d408dba2f98a0a4e9911246
SHA1510eeb502ac7def8d95500ea9dc027c58a55de9c
SHA2560b3736825d59497576b910a675f0a752d5c8a5c062093ea6fccf4d3cbfef7f9b
SHA51200c9f9b3b86f524cb11a5a0890df83083e52fda2e5cafcc3c6c4bd3af57ed4f0d467a509814695b87e0e30a0087ae65e15973e06be093e51e1a926747feb185d
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\DeviceProperties.exeFilesize
207KB
MD5ca78d1193cae9708942d3a1266947b3e
SHA163d6f8ddc1dd9eab848cd71ce60d9ba9b3bd733e
SHA256ca3282264b6fb5a3aae171d76a8a27ad1e121e0b3dd682eb4d2e8ff03e2ace57
SHA512f6f39fb4d9ba81cc892c0de665e3d0d3b285f7b5cbea1bdb78ca21eb86dfa05a0c2ac93fc3ab985ee45cd15883d0347bb61615436e3a58f998106e7751784437
-
memory/2796-414-0x0000000003950000-0x0000000003952000-memory.dmpFilesize
8KB
-
memory/2796-18-0x0000000002230000-0x0000000002231000-memory.dmpFilesize
4KB