gozi | 27f3384ffb49590d669a02beaeb350eb603eb752f065ffc570d0ff30c7bcd156

Analysis

max time kernel
128s
max time network
129s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024052783237ebead491c851477fd609d999112cerber.exe
Size

177KB
MD5

83237ebead491c851477fd609d999112
SHA1

959652b34973aa73161f7f02acffe667b37e3562
SHA256

27f3384ffb49590d669a02beaeb350eb603eb752f065ffc570d0ff30c7bcd156
SHA512

1b686f3fc8bf1251313396148ef2cfe711d6cd2634d5dc4f3815476f765896f333d1c430579833db7c5d4aec015ae368367942fd0c38457becb7d22f59b694cc
SSDEEP

3072:5UtN1FlUqaTkJPFAJwt33qFS2Ac/koKJFfFlo4U7ipdS8TZGVZ+Fbvc9A:W1F9EkJPyG3qqchjD7u6Ovx

Score

10^/10

gozi banker defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Ransom Note

CERBER RANSOMWARE ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #CerberRansomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.onion.to/3515-C54D-5091-0072-8313 | | 2. http://cerberhhyed5frqa.onion.cab/3515-C54D-5091-0072-8313 | | 3. http://cerberhhyed5frqa.onion.nu/3515-C54D-5091-0072-8313 | | 4. http://cerberhhyed5frqa.onion.link/3515-C54D-5091-0072-8313 | | 5. http://cerberhhyed5frqa.tor2web.org/3515-C54D-5091-0072-8313 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.onion.to/3515-C54D-5091-0072-8313); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.onion.to/3515-C54D-5091-0072-8313 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.onion.to/3515-C54D-5091-0072-8313); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/3515-C54D-5091-0072-8313 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.onion.to/3515-C54D-5091-0072-8313

http://cerberhhyed5frqa.onion.cab/3515-C54D-5091-0072-8313

http://cerberhhyed5frqa.onion.nu/3515-C54D-5091-0072-8313

http://cerberhhyed5frqa.onion.link/3515-C54D-5091-0072-8313

http://cerberhhyed5frqa.tor2web.org/3515-C54D-5091-0072-8313

http://cerberhhyed5frqa.onion/3515-C54D-5091-0072-8313

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>CERBER RANSOMWARE</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #CerberRansomware. <hr> If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.onion.to/3515-C54D-5091-0072-8313" target="_blank">http://cerberhhyed5frqa.onion.to/3515-C54D-5091-0072-8313</a></li> <li><a href="http://cerberhhyed5frqa.onion.cab/3515-C54D-5091-0072-8313" target="_blank">http://cerberhhyed5frqa.onion.cab/3515-C54D-5091-0072-8313</a></li> <li><a href="http://cerberhhyed5frqa.onion.nu/3515-C54D-5091-0072-8313" target="_blank">http://cerberhhyed5frqa.onion.nu/3515-C54D-5091-0072-8313</a></li> <li><a href="http://cerberhhyed5frqa.onion.link/3515-C54D-5091-0072-8313" target="_blank">http://cerberhhyed5frqa.onion.link/3515-C54D-5091-0072-8313</a></li> <li><a href="http://cerberhhyed5frqa.tor2web.org/3515-C54D-5091-0072-8313" target="_blank">http://cerberhhyed5frqa.tor2web.org/3515-C54D-5091-0072-8313</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.onion.to/3515-C54D-5091-0072-8313" target="_blank">http://cerberhhyed5frqa.onion.to/3515-C54D-5091-0072-8313</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.onion.to/3515-C54D-5091-0072-8313" target="_blank">http://cerberhhyed5frqa.onion.to/3515-C54D-5091-0072-8313</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.onion.to/3515-C54D-5091-0072-8313" target="_blank">http://cerberhhyed5frqa.onion.to/3515-C54D-5091-0072-8313</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/3515-C54D-5091-0072-8313 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Contacts a large (16393) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1900 bcdedit.exe
1924 bcdedit.exe

pid	process
1900	bcdedit.exe
1924	bcdedit.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024052783237ebead491c851477fd609d999112cerber.execharmap.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\\charmap.exe\""	2024052783237ebead491c851477fd609d999112cerber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\\charmap.exe\""	charmap.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1680 cmd.exe

pid	process
1680	cmd.exe

Drops startup file 2 IoCs

Processes:

2024052783237ebead491c851477fd609d999112cerber.execharmap.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\charmap.lnk	2024052783237ebead491c851477fd609d999112cerber.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\charmap.lnk	charmap.exe

Executes dropped EXE 3 IoCs

Processes:

charmap.execharmap.execharmap.exe

pid process

1940 charmap.exe
2768 charmap.exe
1768 charmap.exe
Loads dropped DLL 2 IoCs

Processes:

2024052783237ebead491c851477fd609d999112cerber.execharmap.exe

pid process

1276 2024052783237ebead491c851477fd609d999112cerber.exe
1940 charmap.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1276	2024052783237ebead491c851477fd609d999112cerber.exe
1940	charmap.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024052783237ebead491c851477fd609d999112cerber.execharmap.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\charmap = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\\charmap.exe\""	2024052783237ebead491c851477fd609d999112cerber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\charmap = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\\charmap.exe\""	2024052783237ebead491c851477fd609d999112cerber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\charmap = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\\charmap.exe\""	charmap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\charmap = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\\charmap.exe\""	charmap.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

charmap.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA charmap.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2600 vssadmin.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2456 taskkill.exe
3012 taskkill.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	charmap.exe

flow	ioc
3	ipinfo.io

pid	process
2600	vssadmin.exe

pid	process
2456	taskkill.exe
3012	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

2024052783237ebead491c851477fd609d999112cerber.execharmap.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\\charmap.exe\""	2024052783237ebead491c851477fd609d999112cerber.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop	charmap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\\charmap.exe\""	charmap.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop	2024052783237ebead491c851477fd609d999112cerber.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00c3db9683b0da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000040278f6f4a36a64a8006141f803394bc000000000200000000001066000000010000200000004f94bde4d6e362011417054cc04cae8c9b607ad73b0eae6d5202767be0ddf609000000000e80000000020000200000006ce059d1dd88d43e84337a528243f2de89592fdf772ccc80f29f45987d927b7320000000f0b60a3ea9cb142a31ac41131c4c1b7ef9fc8732fe5ca7f9b7c433f5c2bbfbfc400000002723c287185564fa813904f78aacdba5b932e630a5343dc25e0861a4deec5a807f69b9356bf9b75c859f8324af86a4efd828dbcb1d686cdee1597e5c46cbf12a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000040278f6f4a36a64a8006141f803394bc00000000020000000000106600000001000020000000511d93520d1c7060de43b66bb32101a78bda943f39174b21890d1c998b0f645f000000000e8000000002000020000000390e1a1fec566f85749ca6f8aaf4e37c94d7b6b51a22f1efa89f3303de8e326190000000630e713bf165ed7a0ac64f20418829b286c8e14a51736fadc911e1917838dcf3eb381c9ac86783e90c8be0812722ba1adf99f057fe0824dd009368e838c32e52a76d24b1c76967a1fc90eabc8cdf16d4ab26ffd9674bfe1cd3cb7a5282fca21d21558638f289c6b843ea02e6e56e973bfca33668de6de601d0467d48a977171d1ff1726abf7a3d5bac990cb9bc83c9c040000000894f6dfda5b70409b18f240a453a7dc8d7b44dce348817436d147f55c086b2043052b11bf5dfc98389cf589bdea8b42a699a2196736441a56a8bb618d2ff0e44	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D43B85A1-1C76-11EF-932B-4E2C21FEB07B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423010084"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2684 PING.EXE
2436 PING.EXE

pid	process
2684	PING.EXE
2436	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

charmap.exe

pid	process
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe
1940	charmap.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

2024052783237ebead491c851477fd609d999112cerber.execharmap.exevssvc.exetaskkill.exewmic.execharmap.execharmap.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1276	2024052783237ebead491c851477fd609d999112cerber.exe
Token: SeDebugPrivilege	1940	charmap.exe
Token: SeBackupPrivilege	3000	vssvc.exe
Token: SeRestorePrivilege	3000	vssvc.exe
Token: SeAuditPrivilege	3000	vssvc.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2508	wmic.exe
Token: SeSecurityPrivilege	2508	wmic.exe
Token: SeTakeOwnershipPrivilege	2508	wmic.exe
Token: SeLoadDriverPrivilege	2508	wmic.exe
Token: SeSystemProfilePrivilege	2508	wmic.exe
Token: SeSystemtimePrivilege	2508	wmic.exe
Token: SeProfSingleProcessPrivilege	2508	wmic.exe
Token: SeIncBasePriorityPrivilege	2508	wmic.exe
Token: SeCreatePagefilePrivilege	2508	wmic.exe
Token: SeBackupPrivilege	2508	wmic.exe
Token: SeRestorePrivilege	2508	wmic.exe
Token: SeShutdownPrivilege	2508	wmic.exe
Token: SeDebugPrivilege	2508	wmic.exe
Token: SeSystemEnvironmentPrivilege	2508	wmic.exe
Token: SeRemoteShutdownPrivilege	2508	wmic.exe
Token: SeUndockPrivilege	2508	wmic.exe
Token: SeManageVolumePrivilege	2508	wmic.exe
Token: 33	2508	wmic.exe
Token: 34	2508	wmic.exe
Token: 35	2508	wmic.exe
Token: SeIncreaseQuotaPrivilege	2508	wmic.exe
Token: SeSecurityPrivilege	2508	wmic.exe
Token: SeTakeOwnershipPrivilege	2508	wmic.exe
Token: SeLoadDriverPrivilege	2508	wmic.exe
Token: SeSystemProfilePrivilege	2508	wmic.exe
Token: SeSystemtimePrivilege	2508	wmic.exe
Token: SeProfSingleProcessPrivilege	2508	wmic.exe
Token: SeIncBasePriorityPrivilege	2508	wmic.exe
Token: SeCreatePagefilePrivilege	2508	wmic.exe
Token: SeBackupPrivilege	2508	wmic.exe
Token: SeRestorePrivilege	2508	wmic.exe
Token: SeShutdownPrivilege	2508	wmic.exe
Token: SeDebugPrivilege	2508	wmic.exe
Token: SeSystemEnvironmentPrivilege	2508	wmic.exe
Token: SeRemoteShutdownPrivilege	2508	wmic.exe
Token: SeUndockPrivilege	2508	wmic.exe
Token: SeManageVolumePrivilege	2508	wmic.exe
Token: 33	2508	wmic.exe
Token: 34	2508	wmic.exe
Token: 35	2508	wmic.exe
Token: SeDebugPrivilege	2768	charmap.exe
Token: SeDebugPrivilege	1768	charmap.exe
Token: SeDebugPrivilege	3012	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

1868 iexplore.exe
1868 iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1868	iexplore.exe
1868	iexplore.exe
1868	iexplore.exe
1868	iexplore.exe
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024052783237ebead491c851477fd609d999112cerber.execharmap.execmd.exetaskeng.exeiexplore.exe

description	pid	process	target process
PID 1276 wrote to memory of 1940	1276	2024052783237ebead491c851477fd609d999112cerber.exe	charmap.exe
PID 1276 wrote to memory of 1940	1276	2024052783237ebead491c851477fd609d999112cerber.exe	charmap.exe
PID 1276 wrote to memory of 1940	1276	2024052783237ebead491c851477fd609d999112cerber.exe	charmap.exe
PID 1276 wrote to memory of 1940	1276	2024052783237ebead491c851477fd609d999112cerber.exe	charmap.exe
PID 1940 wrote to memory of 2600	1940	charmap.exe	vssadmin.exe
PID 1940 wrote to memory of 2600	1940	charmap.exe	vssadmin.exe
PID 1940 wrote to memory of 2600	1940	charmap.exe	vssadmin.exe
PID 1940 wrote to memory of 2600	1940	charmap.exe	vssadmin.exe
PID 1276 wrote to memory of 1680	1276	2024052783237ebead491c851477fd609d999112cerber.exe	cmd.exe
PID 1276 wrote to memory of 1680	1276	2024052783237ebead491c851477fd609d999112cerber.exe	cmd.exe
PID 1276 wrote to memory of 1680	1276	2024052783237ebead491c851477fd609d999112cerber.exe	cmd.exe
PID 1276 wrote to memory of 1680	1276	2024052783237ebead491c851477fd609d999112cerber.exe	cmd.exe
PID 1680 wrote to memory of 2456	1680	cmd.exe	taskkill.exe
PID 1680 wrote to memory of 2456	1680	cmd.exe	taskkill.exe
PID 1680 wrote to memory of 2456	1680	cmd.exe	taskkill.exe
PID 1680 wrote to memory of 2456	1680	cmd.exe	taskkill.exe
PID 1680 wrote to memory of 2684	1680	cmd.exe	PING.EXE
PID 1680 wrote to memory of 2684	1680	cmd.exe	PING.EXE
PID 1680 wrote to memory of 2684	1680	cmd.exe	PING.EXE
PID 1680 wrote to memory of 2684	1680	cmd.exe	PING.EXE
PID 1940 wrote to memory of 2508	1940	charmap.exe	wmic.exe
PID 1940 wrote to memory of 2508	1940	charmap.exe	wmic.exe
PID 1940 wrote to memory of 2508	1940	charmap.exe	wmic.exe
PID 1940 wrote to memory of 2508	1940	charmap.exe	wmic.exe
PID 1940 wrote to memory of 1900	1940	charmap.exe	bcdedit.exe
PID 1940 wrote to memory of 1900	1940	charmap.exe	bcdedit.exe
PID 1940 wrote to memory of 1900	1940	charmap.exe	bcdedit.exe
PID 1940 wrote to memory of 1900	1940	charmap.exe	bcdedit.exe
PID 1940 wrote to memory of 1924	1940	charmap.exe	bcdedit.exe
PID 1940 wrote to memory of 1924	1940	charmap.exe	bcdedit.exe
PID 1940 wrote to memory of 1924	1940	charmap.exe	bcdedit.exe
PID 1940 wrote to memory of 1924	1940	charmap.exe	bcdedit.exe
PID 2752 wrote to memory of 2768	2752	taskeng.exe	charmap.exe
PID 2752 wrote to memory of 2768	2752	taskeng.exe	charmap.exe
PID 2752 wrote to memory of 2768	2752	taskeng.exe	charmap.exe
PID 2752 wrote to memory of 2768	2752	taskeng.exe	charmap.exe
PID 1940 wrote to memory of 1868	1940	charmap.exe	iexplore.exe
PID 1940 wrote to memory of 1868	1940	charmap.exe	iexplore.exe
PID 1940 wrote to memory of 1868	1940	charmap.exe	iexplore.exe
PID 1940 wrote to memory of 1868	1940	charmap.exe	iexplore.exe
PID 1940 wrote to memory of 1592	1940	charmap.exe	NOTEPAD.EXE
PID 1940 wrote to memory of 1592	1940	charmap.exe	NOTEPAD.EXE
PID 1940 wrote to memory of 1592	1940	charmap.exe	NOTEPAD.EXE
PID 1940 wrote to memory of 1592	1940	charmap.exe	NOTEPAD.EXE
PID 1868 wrote to memory of 1584	1868	iexplore.exe	IEXPLORE.EXE
PID 1868 wrote to memory of 1584	1868	iexplore.exe	IEXPLORE.EXE
PID 1868 wrote to memory of 1584	1868	iexplore.exe	IEXPLORE.EXE
PID 1868 wrote to memory of 1584	1868	iexplore.exe	IEXPLORE.EXE
PID 1868 wrote to memory of 2952	1868	iexplore.exe	IEXPLORE.EXE
PID 1868 wrote to memory of 2952	1868	iexplore.exe	IEXPLORE.EXE
PID 1868 wrote to memory of 2952	1868	iexplore.exe	IEXPLORE.EXE
PID 1868 wrote to memory of 2952	1868	iexplore.exe	IEXPLORE.EXE
PID 1940 wrote to memory of 2792	1940	charmap.exe	WScript.exe
PID 1940 wrote to memory of 2792	1940	charmap.exe	WScript.exe
PID 1940 wrote to memory of 2792	1940	charmap.exe	WScript.exe
PID 1940 wrote to memory of 2792	1940	charmap.exe	WScript.exe
PID 2752 wrote to memory of 1768	2752	taskeng.exe	charmap.exe
PID 2752 wrote to memory of 1768	2752	taskeng.exe	charmap.exe
PID 2752 wrote to memory of 1768	2752	taskeng.exe	charmap.exe
PID 2752 wrote to memory of 1768	2752	taskeng.exe	charmap.exe
PID 1940 wrote to memory of 1052	1940	charmap.exe	cmd.exe
PID 1940 wrote to memory of 1052	1940	charmap.exe	cmd.exe
PID 1940 wrote to memory of 1052	1940	charmap.exe	cmd.exe
PID 1940 wrote to memory of 1052	1940	charmap.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024052783237ebead491c851477fd609d999112cerber.exe
"C:\Users\Admin\AppData\Local\Temp\2024052783237ebead491c851477fd609d999112cerber.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\charmap.exe
"C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\charmap.exe"
2⤵
- Adds policy Run key to start application
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\system32\vssadmin.exe
"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2600

C:\Windows\system32\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:1900

C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:1924

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1868 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1868 CREDAT:537601 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
3⤵
PID:1592

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
3⤵
PID:2792

C:\Windows\system32\cmd.exe
/d /c taskkill /t /f /im "charmap.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\charmap.exe" > NUL
3⤵
PID:1052

C:\Windows\system32\taskkill.exe
taskkill /t /f /im "charmap.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\system32\PING.EXE
ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2436

C:\Windows\SysWOW64\cmd.exe
/d /c taskkill /t /f /im "2024052783237ebead491c851477fd609d999112cerber.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\2024052783237ebead491c851477fd609d999112cerber.exe" > NUL
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /im "2024052783237ebead491c851477fd609d999112cerber.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\SysWOW64\PING.EXE
ping -n 1 127.0.0.1
3⤵
- Runs ping.exe
PID:2684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\system32\taskeng.exe
taskeng.exe {1B28D891-0A13-40E8-AB2B-9300442D1EF7} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\charmap.exe
C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\charmap.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\charmap.exe
C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\charmap.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
0abc2a59d009a1e7f4a04ce5c1d02d39

SHA1
ed651ebabe113d843a3e741a89050dfd5993ce64

SHA256
3731c3b1d1b0e211635428471c7ccf7ab4d2ba34a310eae712a01046d6f4bfbd

SHA512
b6603c8149d0b44ea4d0bbb3257a81811cdd08bb8367f7964233dfaf030ddc423cde6a56b311a596a4909814c4d446361e6250f002de775b11528e12c062654d

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
b9a5db22e7e8f620f82d16dbe112c6e9

SHA1
9e04f758d7caeaeca343d3afd36871d8fe5e4b11

SHA256
207ce5afed71dbf30cf01c9c1f812599a3693aee57eb2d9f8bbf0589c092dd15

SHA512
5b9d4cf6ebd7fa4006fa7bec61f9462efee454327ee8d8f34f0374cc30a062c93201a351d9437fa8b83f5a2559cdc95177f45234b1db18f362918db5dbb98ad7

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
83B

MD5
08f47234a3dccdad826c4f50bda6b56f

SHA1
4bc086f9b32a9298d4e1360de572c9a0f953d272

SHA256
ea2fd84bac08d67390d7d0568ec3eef43de1e92f2fc8be70885ba1e4678f877c

SHA512
5ad4f4b267d13a06778f5def3a88692a97e0e2f5d8419e1d33bc51a13d98ced50ced719b328873c189c6be74aef907ef28d82199c2130a3f8e6485ccd4a334c8

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
210B

MD5
e885e348f83d97db3deb82ed43a64eeb

SHA1
931f6266326fb778117d52d9e74eb9b8545bb2f2

SHA256
bf4b1b2372317eb80d719b452100e9538ea7d44f5e168a7e59d0aecfebf5b660

SHA512
4fee5c7cf95a5930062eea507911d172644c73c592291a520230eca5bb27009923cf03f0b6bdc1912eee841dcc561f82b4071265e75787801a07547650d1be44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
01de34b54428300a8447577f8971fe27

SHA1
24974b9b83dbe54def6286441310e8965d7eb2ac

SHA256
183cf1af8cdb3f0b8c761e49c9eee928db68aa0bea7063fb0cca9148941f362c

SHA512
de8f1be9a88721db5247ef10acbfeb96f7d54e4dae3db6140581fb0a05d20c319fcfe33e3c07336c12a6777d2835a78e038185dc12c17bdc452f55da1d61bc55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1a529716d0dd6401f45bacd6723258c0

SHA1
8d971693a35379dfc391f952c51fd74733b36a01

SHA256
a01f93a5f71535c711696f7bc25cc1c317980638659f30b470eeb6a8fe817f89

SHA512
cf900d3aa4bf290e8b29b895e8dd4bf4586a1974fe2417c31ae713f39eef971abb05534038ca7d6ae0ff642fe2a6c7333a093b6da03bd04ae6a9eb0c33455598

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
14708f03bf930d77e178ee9e197bd6df

SHA1
38838119f95ed189375c51765ede6b9e894f2920

SHA256
f882bdb15a1188a0f3f3ac7d6f59752928a0a135e78c67a7e626d6de672024d3

SHA512
5221c2415b1883ec2064b7272813b3fd94996584464e797b951fff043c411f653be0e23554fdc13cfa4dbf961c312e49079625f8bb2f34c878931c2921043265

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7c8cf67e8124f78007c4552681c5caa8

SHA1
e5f02736c1f527880f8850104d66de59d0a729dc

SHA256
8a47d8ab82ba6fbb262af884d108fa5317f17ec637a23044017f454534b6d98b

SHA512
dc601da9e3213f7fcc473aebeb3b11c633bf57f5399cef5f7909353bd18d9c3cde5ef4e7a541d53ecef19b6a013da5e13896f0ae3913d661d975857e41593034

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
556823c059ddbfd59d86428849580b53

SHA1
0a2562490861168f56cf06fd0dd261eea504ecfc

SHA256
944d3bf195aa595b34d5331abc72ed06c29fca12613367cedf330d7454e62572

SHA512
b52280b008ce20fb187291a45aacd7c714cf06db4f5a84c8aad51262ce8021e4d1ec27b00fbd9ecc07e4826527ce50367628189c0aeeeb35c307c04316e10880

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc7ba8f0616c747f02150686de73a626

SHA1
ae82c0cbf689e1d846cff00ebc3b088cc87d4554

SHA256
67a5bce68113cc1a302187da37c9d2db34a95cfb2cd02134f6b88406f443f3f2

SHA512
192bfb03b2a62d2e85f82293f37d303915ac79f145571793286f241588c48a2a1181af7c233cd448d66d69cc9dde93342f4dc4d678f8a4201418ca7f3597201c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1081964db78021df7c1bc2afcde81db4

SHA1
2dc374cb19fe94da4fd4b4322214fd50cb8dbd2d

SHA256
26126fff73c2db7de028868b26087bdf4a76f5fdd1ded7bb025bd1bed9f8b649

SHA512
628bbba980ab464967b06a174837305616d6a77edd78e68ab098069944db48644eb5697baeca18675b82c08fff5b95d3b3abc1928f4dd640196d4fa321f24b2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
24464c276acc5747b48cf3e04a9bb112

SHA1
6a782b14cdc69ff00bb3d6c30ddcab769161d45c

SHA256
3225bb34ebdf274d2214de73c9097d709d56218418be46daa9f9feddb1784119

SHA512
b154b35551d07399a1af23ce1b78dc9df917721d67209b89a41762479f51eedfba1b76a69da88294cd7730d2e58134a4b804ffce17eea878b1229e1f047cc34b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e6d29c8a225b45f79acbbb4dc9676f95

SHA1
ed9fb46d58c188974da9887789ced97256f476cc

SHA256
1086a681f3260ac9027d24ffbe65d2131295b5dff949ec0af2285e28d59217f6

SHA512
b6d58dfb834cd2f4339d5b4ee0b51fcedf51e225f1998f4c802ad29245b85e110b20eecf3a880f39ee7d521602917c559e58c1e25e3813416a11f6062660c6d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
79839d9f0edf3c52dc7e1d017cc2512f

SHA1
fd0fb6f03b698acabe2619cb82e3e52cdd2088b4

SHA256
3e90713cb234f31635cacd438aa6e2ff45634bf1fd96581ca071eb87fedc31a5

SHA512
a8c71f625c82fc64bfdf896fc4198a4906456e715875f453d56994360eb346f4e1eac2d6de2ead1df4aa5a65f50fd1c2c89c50cdfed5300508febc49e928ba2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1ef5eb3e578d73be5a164cfa1d23a136

SHA1
ef8654c220f6a1d14c8e1656c9778fa2f7c67661

SHA256
afb2b61394315c67321c485fb514bf7c68c6649fe932fce9d6763f7ed632b1c5

SHA512
a66dae13c5064307e6ceba688dfa24cb1be745c4b5799409c018a794e15e294fc05bfa118d58e138816d456b955443b143078ef2687b4444952bb05cea2ac59c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b35de190c80382c5415cdd674b57795

SHA1
3f7551eb7e723014e82af3253da8ee6b7cc6c5ea

SHA256
239a4a883be65120cab444bde854c880ecf4ba7f82a47f567d98dc5d52222b30

SHA512
e47acd8f9dcf182aad98d11583d94d82f575045365b7604a96cf661539e8f74a1a8a6dd5c5cfcf74bdb67f09281776b4421e88cec64a74234a4e23558dac01ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e89527e5ab323f1474f8657af159a4e

SHA1
cdeb4eabcc316a020af67840c2a90ff71d7ae103

SHA256
bad0514858c98862df746485ea6f81401d9816cfa4de6ff2c3d9ccf2be7f8f72

SHA512
56933f5e67fb030f1f4795e86a171fb157e9ea29033dff58743b400733f9f3f4a9906570ef1690e316b6da7a133a39512f606ebd5c75c83a9e4ac6c89c9c9a4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
be7fc7d7e23b6236924b21f3f962936b

SHA1
123bc18c648f5ca6d18e8021ab589b11708458e0

SHA256
2020060dba22bd600be502834d2b97322bd8394e9f16e894d7ba7fee188692be

SHA512
21c6d1e82c1fcb7c06f06f2a3933422a8e2ae708b478ef8d2a3c13131542b68f3de37d34c483a10d7d00d88ab021c73b405e70e627292b447b3b6c93753bb22e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
20a46b8f7c450f60f1cd6e6c983a6c32

SHA1
900a9886fa30a383eb8c0fec7b0e7ac5c35cf0dc

SHA256
1af2f4edc38559992079729737bdf75425fc12265c4b27301b9730807ed8fdbd

SHA512
b77b6df98ee8c582d2dc07a04a170873d17218ba6b883a6c6f65d4c3beab5f9e44b22b3a05c3f041084f74f501587178d5e798f6c283b5af2d4669b1922ba5ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
034ea89cd52cb589d4a3b129a16818f9

SHA1
2c485ca0b9b2d502839339b5c7f26597b4588ec3

SHA256
02670207cea3d112c1f899c17d64ca3e54c49ae2b8eaac574db79862146b9e52

SHA512
d3ae98bdc5d7d4aa12772c76b3bd211eb4322c7ccb9593c45bd727d45abcdef898f2af2fae68411f734cfac6cee6e446b1b077fc2891df2fb5c886fa992b5dd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6ffb050a5d555d9631b0a636328f694d

SHA1
8c5bc0b01ceacb663e922ec1a4d267499ff62de6

SHA256
6b518b43acf23ccde88b9188a5433b00ed4e88024301b54dbe38984706c4159d

SHA512
97f488516f83fdec47ecdd3acc2707fbfe3dd88ed662c6cabecf7eeb43c5b9609ef87175f381f8cb5f5aaa4c53de305442ea259620124bd4624c68f0400a8521

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ab054d96650143ee513b1ee75ccafe8f

SHA1
7903916138358f855db24abba024fdaa5e64c4da

SHA256
4bda4c49a1c4dd19c47c92e26641d8f0e9d4c80f5a11525dc6e564b38aa0e351

SHA512
ab24fa837be31a85ef1391805f1dae37fd52de79ff642fb78cda9397b9e602765687e871d3eb9a39846d80b0bf899cf7fda8131d18366e416058a6d0e709f030

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fdfcc60414f1e8570e9d22f242159566

SHA1
d8cf34cc6eb1d221185607b006d829ef5dc80e8d

SHA256
92e99551338a7738b977bec989c6f29646265b8b31a776bb2b12bc72c3a4ff8f

SHA512
bf699892cf51e45f5552cb3a4cce2cb67a5405974e73a570e68e1a82c75139d851b5cf14e2fa4dc7b9eb0789006fe65b053348a93ca3c84594f01e1c20e703c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cf8a4ab52f478f92064d93a19ad82f8b

SHA1
1ee507686e0fb27d6c6059ffbdaa5c864a46320c

SHA256
31f3e9daa535c27b4d8b6664d20fea0c4e2cbe8cf095912430b27ca649e45ca4

SHA512
9094bf25f4440eb36e43f54e435bb63ccb949235a57a0784149ac30f037d66990413b2ee377050c0eccd257f4fa4f11a6b5d8323e964d6c50b648376b210ebe0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
694a175233b356d2d1d2cbdb887e9da3

SHA1
24d9630a18ce8cdf2f1f7fb8aa3b1d3ddf7d5d6f

SHA256
89ff0276f5471575f5734dbcd7e3389cd2065c218bd0d0ff84acb216e8f2acc3

SHA512
c54bb70267a19d30ae65a49cc1c9e6d3527c6221d413bb1b326de259914226cc91091c132c444506f5a9a38de9a6af3286212f57051d9da08ab769def7acdf9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dbfc40259cb92842f70132fd23701f9a

SHA1
8a352017df02d3fbd7a8f9a588919ddbb52b17c0

SHA256
9d2f467bbba654b0c4b6b534cc89f225b5af58b2ced69f99be871a61f47e2516

SHA512
643fe6400d9e635b8401f10efff877e482008414f4c85249b804d43d3f4ced6df72b663df520197af360fa115174283636ed1e6b2b9bf9cf78e4fed3579d311c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5aa1e9fb97176ac350cfe92877076252

SHA1
8df893773232efc48332cbfa2ef472bba81d7453

SHA256
9de293d9f1735780a249d28342f6af7ef5b67bb1ab692ceb9dace02a89fd78b5

SHA512
36f707bb1481783bffacb28cafb1bb346a9f455ea34189ce67f35ebc1a765f26806367caf4d9f04c0d31de32c67d07207fb5ee7816613672d576f633d57015ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
c045ba7e07380e04a52a4d8e39e7c9a2

SHA1
2b03c7bc3a93df1ecd0e0518a29bec6ae447d1af

SHA256
282495ce5f71c663823a54bfcc421f821d2d50645191b4d6cb47170a1b3b6562

SHA512
1b30273d158bb752e5130c3e1d69751ca80432a77e0c820d7844463647ecff05643f8e3d9dbbdd4e4cea0b51fa8d96b63ad269a4989270c650597dc940065b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UK4F3SAK\favicon[2].ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar14A1.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\charmap.lnk

Filesize
1KB

MD5
91abde38a6bc4fc8cfdb00b39bce98ea

SHA1
b8bbc124dcf6d4313ca4a67226603f56a68300f9

SHA256
63366d1f3671df0e7d6dccbab37bcba94db734acc5badc17d361a543a55e5eca

SHA512
d40c67b2ea241f1a763465ac236100dbdac5cc95b52e1c4b8965fb0663989e80260fd06a9f850cb09096d2497d2df11cd21aeeb2d60e60d4167e28f44884f1bc

Download Submit
\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\charmap.exe

Filesize
177KB

MD5
83237ebead491c851477fd609d999112

SHA1
959652b34973aa73161f7f02acffe667b37e3562

SHA256
27f3384ffb49590d669a02beaeb350eb603eb752f065ffc570d0ff30c7bcd156

SHA512
1b686f3fc8bf1251313396148ef2cfe711d6cd2634d5dc4f3815476f765896f333d1c430579833db7c5d4aec015ae368367942fd0c38457becb7d22f59b694cc

Download Submit
memory/1276-1-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1276-4-0x0000000000230000-0x000000000024F000-memory.dmp

Filesize
124KB

Download
memory/1276-22-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1276-3-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1276-2-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1276-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1276-5-0x0000000000401000-0x0000000000413000-memory.dmp

Filesize
72KB

Download
memory/1768-480-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-462-0x00000000044D0000-0x00000000044D2000-memory.dmp

Filesize
8KB

Download
memory/1940-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-474-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-1066-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-35-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download