gozi | d7401acbe93358af3649a47f80a178df497f699d8d430b8400b008dec894b1b9

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe
Size

177KB
MD5

4612fbda398e6d7570975a3b122849d8
SHA1

0b044922439de8838eb6c0dcf604c47dd36dd4dd
SHA256

d7401acbe93358af3649a47f80a178df497f699d8d430b8400b008dec894b1b9
SHA512

5f3f223067e4cb5c40b5ded590b877d6644762f5c4ffd14414ad9430721b8418a674b3e74ba7d5fa3e7339c4a73f2eca27370c1f2de51641e721f4f22a15d803
SSDEEP

3072:7UtN1FlUqaTkJPFAJwt33qFS2Ac/koKJFfFlo4U7ipdS8TZGVZ+Fbvc97:o1F9EkJPyG3qqchjD7u6OvO

Score

10^/10

gozi banker defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.txt

Ransom Note

CERBER RANSOMWARE ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #CerberRansomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.onion.to/14EE-F788-E751-0072-B4F2 | | 2. http://cerberhhyed5frqa.onion.cab/14EE-F788-E751-0072-B4F2 | | 3. http://cerberhhyed5frqa.onion.nu/14EE-F788-E751-0072-B4F2 | | 4. http://cerberhhyed5frqa.onion.link/14EE-F788-E751-0072-B4F2 | | 5. http://cerberhhyed5frqa.tor2web.org/14EE-F788-E751-0072-B4F2 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.onion.to/14EE-F788-E751-0072-B4F2); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.onion.to/14EE-F788-E751-0072-B4F2 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.onion.to/14EE-F788-E751-0072-B4F2); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/14EE-F788-E751-0072-B4F2 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.onion.to/14EE-F788-E751-0072-B4F2

http://cerberhhyed5frqa.onion.cab/14EE-F788-E751-0072-B4F2

http://cerberhhyed5frqa.onion.nu/14EE-F788-E751-0072-B4F2

http://cerberhhyed5frqa.onion.link/14EE-F788-E751-0072-B4F2

http://cerberhhyed5frqa.tor2web.org/14EE-F788-E751-0072-B4F2

http://cerberhhyed5frqa.onion/14EE-F788-E751-0072-B4F2

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>CERBER RANSOMWARE</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #CerberRansomware. <hr> If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.onion.to/14EE-F788-E751-0072-B4F2" target="_blank">http://cerberhhyed5frqa.onion.to/14EE-F788-E751-0072-B4F2</a></li> <li><a href="http://cerberhhyed5frqa.onion.cab/14EE-F788-E751-0072-B4F2" target="_blank">http://cerberhhyed5frqa.onion.cab/14EE-F788-E751-0072-B4F2</a></li> <li><a href="http://cerberhhyed5frqa.onion.nu/14EE-F788-E751-0072-B4F2" target="_blank">http://cerberhhyed5frqa.onion.nu/14EE-F788-E751-0072-B4F2</a></li> <li><a href="http://cerberhhyed5frqa.onion.link/14EE-F788-E751-0072-B4F2" target="_blank">http://cerberhhyed5frqa.onion.link/14EE-F788-E751-0072-B4F2</a></li> <li><a href="http://cerberhhyed5frqa.tor2web.org/14EE-F788-E751-0072-B4F2" target="_blank">http://cerberhhyed5frqa.tor2web.org/14EE-F788-E751-0072-B4F2</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.onion.to/14EE-F788-E751-0072-B4F2" target="_blank">http://cerberhhyed5frqa.onion.to/14EE-F788-E751-0072-B4F2</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.onion.to/14EE-F788-E751-0072-B4F2" target="_blank">http://cerberhhyed5frqa.onion.to/14EE-F788-E751-0072-B4F2</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.onion.to/14EE-F788-E751-0072-B4F2" target="_blank">http://cerberhhyed5frqa.onion.to/14EE-F788-E751-0072-B4F2</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/14EE-F788-E751-0072-B4F2 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Contacts a large (16393) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1724-3-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/1724-4-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/1992-19-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/1992-17-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/1992-16-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/1724-21-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/1992-25-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/1480-31-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/1992-32-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/1992-34-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/1992-463-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/1328-1064-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/1992-1066-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Detects command variations typically used by ransomware 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1724-3-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/memory/1724-4-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/memory/1992-19-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/memory/1992-17-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/memory/1992-16-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/memory/1724-21-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/memory/1992-25-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/memory/1480-31-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/memory/1992-32-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/memory/1992-34-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/memory/1992-463-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/memory/1328-1064-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/memory/1992-1066-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware

Detects executables referencing many IR and analysis tools 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1724-3-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_References_SecTools
behavioral1/memory/1724-4-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_References_SecTools
behavioral1/memory/1992-19-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_References_SecTools
behavioral1/memory/1992-17-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_References_SecTools
behavioral1/memory/1992-16-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_References_SecTools
behavioral1/memory/1724-21-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_References_SecTools
behavioral1/memory/1992-25-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_References_SecTools
behavioral1/memory/1480-31-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_References_SecTools
behavioral1/memory/1992-32-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_References_SecTools
behavioral1/memory/1992-34-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_References_SecTools
behavioral1/memory/1992-463-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_References_SecTools
behavioral1/memory/1328-1064-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_References_SecTools
behavioral1/memory/1992-1066-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_SUSPICIOUS_References_SecTools

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2180 bcdedit.exe
1920 bcdedit.exe

pid	process
2180	bcdedit.exe
1920	bcdedit.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exeMRINFO.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\\MRINFO.EXE\""	2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\\MRINFO.EXE\""	MRINFO.EXE

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1728 cmd.exe

pid	process
1728	cmd.exe

Drops startup file 2 IoCs

Processes:

2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exeMRINFO.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\MRINFO.lnk	2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\MRINFO.lnk	MRINFO.EXE

Executes dropped EXE 3 IoCs

Processes:

MRINFO.EXEMRINFO.EXEMRINFO.EXE

pid process

1992 MRINFO.EXE
1480 MRINFO.EXE
1328 MRINFO.EXE
Loads dropped DLL 2 IoCs

Processes:

2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exeMRINFO.EXE

pid process

1724 2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe
1992 MRINFO.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1724	2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe
1992	MRINFO.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exeMRINFO.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\MRINFO = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\\MRINFO.EXE\""	2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRINFO = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\\MRINFO.EXE\""	MRINFO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\MRINFO = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\\MRINFO.EXE\""	MRINFO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRINFO = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\\MRINFO.EXE\""	2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

MRINFO.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MRINFO.EXE
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2588 vssadmin.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2840 taskkill.exe
1656 taskkill.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MRINFO.EXE

flow	ioc
3	ipinfo.io

pid	process
2588	vssadmin.exe

pid	process
2840	taskkill.exe
1656	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exeMRINFO.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop	2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\\MRINFO.EXE\""	2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop	MRINFO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\\MRINFO.EXE\""	MRINFO.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002cf8a20a36d07b4eb69d39e70e97032f000000000200000000001066000000010000200000006f80707bb9122826d77aeadc42ab1cd125a471f67e9fb29003a608127461f3f9000000000e8000000002000020000000ed29b9867e8fd72c8c1588d46f61a6ac3f9c913bdd246fd5642f25b137f735cb9000000062f455a3fd618e468754cf8d73af2176bf5ea1b1b0127352924efb23eb491482c5674e765db09467e995e437e754339b53ad35fbf5614936aa4f07041cc99f593d9a92f70db54a7b78e7c7ee817f0a494f105ccb049a265ad9782eec2e6b311d1597ddc2f79179edb30111f5ad1e11b155a36e33ab65dd2c651d5a7102e4e1bc2437fe8b369ac75f46bb3d992d6b0df4400000008db66a6f43596fb848262d26dad7f9a2d92d339f8d7c54c7bc25983e29549ad4dabc7898ff57e3957cea099821e1715f2941fadc95bd7505d29ca9e0f82b0de2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A36A4041-1BEC-11EF-888E-CA4C2FB69A12} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20493266f9afda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A3762721-1BEC-11EF-888E-CA4C2FB69A12} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422950731"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002cf8a20a36d07b4eb69d39e70e97032f00000000020000000000106600000001000020000000e36edcc5f7a1a541a53d51b02811bbfeae0a255ffbba1351303211482b00484f000000000e8000000002000020000000575739f3e086c9b1e66e0f10927b92f56cb7563dbcebe0ffe602dbc81f032d8f20000000391403e0bbfc578cf9be15f57f6fb653f85809ca50f0d8073e20001e3425cf334000000084ce24fbdcb1e5ffdbc69ceecb3a29bd8a64f57fd499c6beb55777f037f5d40883d4b1202efc1c54c3d1c268c6ed042ff2bd354efd39ac4cf3a1b3d7bff5398d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2460 PING.EXE
2880 PING.EXE

pid	process
2460	PING.EXE
2880	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

MRINFO.EXE

pid	process
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE
1992	MRINFO.EXE

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exeMRINFO.EXEvssvc.exetaskkill.exewmic.exeMRINFO.EXEMRINFO.EXEtaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1724	2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe
Token: SeDebugPrivilege	1992	MRINFO.EXE
Token: SeBackupPrivilege	2768	vssvc.exe
Token: SeRestorePrivilege	2768	vssvc.exe
Token: SeAuditPrivilege	2768	vssvc.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2404	wmic.exe
Token: SeSecurityPrivilege	2404	wmic.exe
Token: SeTakeOwnershipPrivilege	2404	wmic.exe
Token: SeLoadDriverPrivilege	2404	wmic.exe
Token: SeSystemProfilePrivilege	2404	wmic.exe
Token: SeSystemtimePrivilege	2404	wmic.exe
Token: SeProfSingleProcessPrivilege	2404	wmic.exe
Token: SeIncBasePriorityPrivilege	2404	wmic.exe
Token: SeCreatePagefilePrivilege	2404	wmic.exe
Token: SeBackupPrivilege	2404	wmic.exe
Token: SeRestorePrivilege	2404	wmic.exe
Token: SeShutdownPrivilege	2404	wmic.exe
Token: SeDebugPrivilege	2404	wmic.exe
Token: SeSystemEnvironmentPrivilege	2404	wmic.exe
Token: SeRemoteShutdownPrivilege	2404	wmic.exe
Token: SeUndockPrivilege	2404	wmic.exe
Token: SeManageVolumePrivilege	2404	wmic.exe
Token: 33	2404	wmic.exe
Token: 34	2404	wmic.exe
Token: 35	2404	wmic.exe
Token: SeIncreaseQuotaPrivilege	2404	wmic.exe
Token: SeSecurityPrivilege	2404	wmic.exe
Token: SeTakeOwnershipPrivilege	2404	wmic.exe
Token: SeLoadDriverPrivilege	2404	wmic.exe
Token: SeSystemProfilePrivilege	2404	wmic.exe
Token: SeSystemtimePrivilege	2404	wmic.exe
Token: SeProfSingleProcessPrivilege	2404	wmic.exe
Token: SeIncBasePriorityPrivilege	2404	wmic.exe
Token: SeCreatePagefilePrivilege	2404	wmic.exe
Token: SeBackupPrivilege	2404	wmic.exe
Token: SeRestorePrivilege	2404	wmic.exe
Token: SeShutdownPrivilege	2404	wmic.exe
Token: SeDebugPrivilege	2404	wmic.exe
Token: SeSystemEnvironmentPrivilege	2404	wmic.exe
Token: SeRemoteShutdownPrivilege	2404	wmic.exe
Token: SeUndockPrivilege	2404	wmic.exe
Token: SeManageVolumePrivilege	2404	wmic.exe
Token: 33	2404	wmic.exe
Token: 34	2404	wmic.exe
Token: 35	2404	wmic.exe
Token: SeDebugPrivilege	1480	MRINFO.EXE
Token: SeDebugPrivilege	1328	MRINFO.EXE
Token: SeDebugPrivilege	1656	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

2976 iexplore.exe
2884 iexplore.exe
2976 iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2976	iexplore.exe
2976	iexplore.exe
2976	iexplore.exe
2976	iexplore.exe
2884	iexplore.exe
2884	iexplore.exe
1124	IEXPLORE.EXE
1124	IEXPLORE.EXE
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exeMRINFO.EXEcmd.exetaskeng.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 1724 wrote to memory of 1992	1724	2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe	MRINFO.EXE
PID 1724 wrote to memory of 1992	1724	2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe	MRINFO.EXE
PID 1724 wrote to memory of 1992	1724	2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe	MRINFO.EXE
PID 1724 wrote to memory of 1992	1724	2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe	MRINFO.EXE
PID 1992 wrote to memory of 2588	1992	MRINFO.EXE	vssadmin.exe
PID 1992 wrote to memory of 2588	1992	MRINFO.EXE	vssadmin.exe
PID 1992 wrote to memory of 2588	1992	MRINFO.EXE	vssadmin.exe
PID 1992 wrote to memory of 2588	1992	MRINFO.EXE	vssadmin.exe
PID 1724 wrote to memory of 1728	1724	2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe	cmd.exe
PID 1724 wrote to memory of 1728	1724	2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe	cmd.exe
PID 1724 wrote to memory of 1728	1724	2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe	cmd.exe
PID 1724 wrote to memory of 1728	1724	2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe	cmd.exe
PID 1728 wrote to memory of 2840	1728	cmd.exe	taskkill.exe
PID 1728 wrote to memory of 2840	1728	cmd.exe	taskkill.exe
PID 1728 wrote to memory of 2840	1728	cmd.exe	taskkill.exe
PID 1728 wrote to memory of 2840	1728	cmd.exe	taskkill.exe
PID 1728 wrote to memory of 2460	1728	cmd.exe	PING.EXE
PID 1728 wrote to memory of 2460	1728	cmd.exe	PING.EXE
PID 1728 wrote to memory of 2460	1728	cmd.exe	PING.EXE
PID 1728 wrote to memory of 2460	1728	cmd.exe	PING.EXE
PID 1992 wrote to memory of 2404	1992	MRINFO.EXE	wmic.exe
PID 1992 wrote to memory of 2404	1992	MRINFO.EXE	wmic.exe
PID 1992 wrote to memory of 2404	1992	MRINFO.EXE	wmic.exe
PID 1992 wrote to memory of 2404	1992	MRINFO.EXE	wmic.exe
PID 1992 wrote to memory of 2180	1992	MRINFO.EXE	bcdedit.exe
PID 1992 wrote to memory of 2180	1992	MRINFO.EXE	bcdedit.exe
PID 1992 wrote to memory of 2180	1992	MRINFO.EXE	bcdedit.exe
PID 1992 wrote to memory of 2180	1992	MRINFO.EXE	bcdedit.exe
PID 1992 wrote to memory of 1920	1992	MRINFO.EXE	bcdedit.exe
PID 1992 wrote to memory of 1920	1992	MRINFO.EXE	bcdedit.exe
PID 1992 wrote to memory of 1920	1992	MRINFO.EXE	bcdedit.exe
PID 1992 wrote to memory of 1920	1992	MRINFO.EXE	bcdedit.exe
PID 2216 wrote to memory of 1480	2216	taskeng.exe	MRINFO.EXE
PID 2216 wrote to memory of 1480	2216	taskeng.exe	MRINFO.EXE
PID 2216 wrote to memory of 1480	2216	taskeng.exe	MRINFO.EXE
PID 2216 wrote to memory of 1480	2216	taskeng.exe	MRINFO.EXE
PID 1992 wrote to memory of 2976	1992	MRINFO.EXE	iexplore.exe
PID 1992 wrote to memory of 2976	1992	MRINFO.EXE	iexplore.exe
PID 1992 wrote to memory of 2976	1992	MRINFO.EXE	iexplore.exe
PID 1992 wrote to memory of 2976	1992	MRINFO.EXE	iexplore.exe
PID 1992 wrote to memory of 2144	1992	MRINFO.EXE	NOTEPAD.EXE
PID 1992 wrote to memory of 2144	1992	MRINFO.EXE	NOTEPAD.EXE
PID 1992 wrote to memory of 2144	1992	MRINFO.EXE	NOTEPAD.EXE
PID 1992 wrote to memory of 2144	1992	MRINFO.EXE	NOTEPAD.EXE
PID 2976 wrote to memory of 2524	2976	iexplore.exe	IEXPLORE.EXE
PID 2976 wrote to memory of 2524	2976	iexplore.exe	IEXPLORE.EXE
PID 2976 wrote to memory of 2524	2976	iexplore.exe	IEXPLORE.EXE
PID 2976 wrote to memory of 2524	2976	iexplore.exe	IEXPLORE.EXE
PID 2884 wrote to memory of 1124	2884	iexplore.exe	IEXPLORE.EXE
PID 2884 wrote to memory of 1124	2884	iexplore.exe	IEXPLORE.EXE
PID 2884 wrote to memory of 1124	2884	iexplore.exe	IEXPLORE.EXE
PID 2884 wrote to memory of 1124	2884	iexplore.exe	IEXPLORE.EXE
PID 2976 wrote to memory of 2700	2976	iexplore.exe	IEXPLORE.EXE
PID 2976 wrote to memory of 2700	2976	iexplore.exe	IEXPLORE.EXE
PID 2976 wrote to memory of 2700	2976	iexplore.exe	IEXPLORE.EXE
PID 2976 wrote to memory of 2700	2976	iexplore.exe	IEXPLORE.EXE
PID 1992 wrote to memory of 1200	1992	MRINFO.EXE	WScript.exe
PID 1992 wrote to memory of 1200	1992	MRINFO.EXE	WScript.exe
PID 1992 wrote to memory of 1200	1992	MRINFO.EXE	WScript.exe
PID 1992 wrote to memory of 1200	1992	MRINFO.EXE	WScript.exe
PID 2216 wrote to memory of 1328	2216	taskeng.exe	MRINFO.EXE
PID 2216 wrote to memory of 1328	2216	taskeng.exe	MRINFO.EXE
PID 2216 wrote to memory of 1328	2216	taskeng.exe	MRINFO.EXE
PID 2216 wrote to memory of 1328	2216	taskeng.exe	MRINFO.EXE

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\MRINFO.EXE
"C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\MRINFO.EXE"
2⤵
- Adds policy Run key to start application
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\system32\vssadmin.exe
"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2588

C:\Windows\system32\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:2180

C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:1920

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
PID:2524

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:537601 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2700

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
3⤵
PID:2144

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
3⤵
PID:1200

C:\Windows\system32\cmd.exe
/d /c taskkill /t /f /im "MRINFO.EXE" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\MRINFO.EXE" > NUL
3⤵
PID:1636

C:\Windows\system32\taskkill.exe
taskkill /t /f /im "MRINFO.EXE"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\PING.EXE
ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2880

C:\Windows\SysWOW64\cmd.exe
/d /c taskkill /t /f /im "2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe" > NUL
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /im "2024-05-27_4612fbda398e6d7570975a3b122849d8_cerber.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\SysWOW64\PING.EXE
ping -n 1 127.0.0.1
3⤵
- Runs ping.exe
PID:2460

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\system32\taskeng.exe
taskeng.exe {B71F672C-05EB-4754-8FA3-8AD0E9B36A6E} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\MRINFO.EXE
C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\MRINFO.EXE
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\MRINFO.EXE
C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\MRINFO.EXE
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2884 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1124

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.html
Filesize
12KB

MD5
929bd32d1c588eaba218d947dfabccd3

SHA1
214b84f145c6299488497f4e7c8b0800520e51c5

SHA256
f26f256e661178280e7ae5165225d6cff00f9a0ba8e639273d1c8ca99f4aeb86

SHA512
f0134a031065f911035c9e5677a96f9a3df84afcf218382316364e990753d617a63d4e50d65bc9f7e43b79f7862ad26bd07a6be8629155ecae162131715fcff2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.txt
Filesize
10KB

MD5
ba4e5b53c1b36abe5e0e33303df0ef08

SHA1
63d3694cb36ea860a3ba367918cd37e2c263681a

SHA256
b0832ef1f1dc1852609fd3eb7b1665457e3901cb4269763e28bda4c8843db9ce

SHA512
af97c064b5c88121da109d458f6285cac466bc6ce794e7fcd7be3977fb9ab03e5d7a34fffd3ddd5c44aa31d7255abdd1af8bdf4795271d95f71056aab7f2668e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.url
Filesize
83B

MD5
aa41aaa21e1a3d45c68aabe16a48c928

SHA1
d0e25580b8a172e3903512c66b6c3a546f18a783

SHA256
fa16517b8508d5cad35073ad03a9ab2502a4b0b38df314344fa8f347b5e63c6a

SHA512
979f3cb0aae609934a885e7c2987780e5a1fb6915930aadcc980a95deea7620f3ba30d58c50774604b6dc33cd94947d965a8f9fe8e7d5b18db24e460c94e656d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.vbs
Filesize
210B

MD5
e885e348f83d97db3deb82ed43a64eeb

SHA1
931f6266326fb778117d52d9e74eb9b8545bb2f2

SHA256
bf4b1b2372317eb80d719b452100e9538ea7d44f5e168a7e59d0aecfebf5b660

SHA512
4fee5c7cf95a5930062eea507911d172644c73c592291a520230eca5bb27009923cf03f0b6bdc1912eee841dcc561f82b4071265e75787801a07547650d1be44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
5f49772c496ac3ceb2100faaf22cf6b1

SHA1
c8a328c27b37cf7a3280332d849a4f953f82d1be

SHA256
2fa087c87b8893ff1d523a019bf953ea4bf421785f7b9365786f544465f093b6

SHA512
1c29be1894a5ab73d8daff1702e073662f5ea04e5598b8e39893c73e979aed25db48467c2e1b7ff0270053c7982624c49ba536068b9142fda4df7229a16ad8d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3704388d34e1471f4388af24acfc68fb

SHA1
4690239dfcf6f75a80cf1000fc4b43eb205a2398

SHA256
78426318eff12ff2e0ada3a3e596477c23ba574ba565407b9d02c0036e0fd2d5

SHA512
4e1ef8df777c7b7ae6bc1adfa5d0c9bdacdfdeedbc9acd14ad7f846f130b86c13569e4b70b7fe714686b82c07e9f78c560bbb9d889fb91303edbe1c1b43a8b33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9b39d7db828a418020898b8d0d17ff9b

SHA1
36995baa816823f0fd2812fa5f3ef8c5f034e49c

SHA256
7234b55c8481a3f555ee80e4c4c7145246f3108c7e0cd34f70f7880b07271ac0

SHA512
b1f16cf417c7fbc73fe90e5713090d5cfbf4bf7047c6b7e3c958fdf41e2ab6146d3e3ae157e9791b2489d0706be4e29a8a7883a51ee174b3795e2c76b5cc3f17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4bfd09267667f56bff7378bc098c052d

SHA1
7a57a830b9bba8d4a44d86d106daec9d72f70d42

SHA256
be970f59995a1427506720d320a06678743646ee94fab2d917a4c040a4bdde0b

SHA512
664ea76c25d433532a196bd0278d021b1b801667663802f7235c8a3657af27ad32463c7bec0d1150127d57a969af48044cdeaf91c95d60aba1dea74b709a02a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8ba823d343e21d585e1edc03e81c2869

SHA1
bee8810b331d40a0bce42b954cacedb5188a456a

SHA256
c3c155936246b9ac842ad26729f8e11f11f04c6706f2377c2cb3d7733bde784f

SHA512
6f3b7b4efc1a1de7fa54ad2e9d00a0c2eac3c4e03783617ba11bf2555c353c27b366e5f1cbfcc4e67ab356fa4471b41ebfaafdcdced26d2a2966bea90f31cf2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7e7b4ba1df8d1bad7af93e5153b6ba45

SHA1
63c7e7f266ed457ffdf9f60f74d74039fa4f1c80

SHA256
3c644482f110de478c35a5199e84876d25f670a200cb52ecf90e25427964db1e

SHA512
90d95b709229401eba3369c7c7ff334cdb131e1dd7d8f51cad177da99c81d5a4423d0df6330c04cfd9e2bf36597fc5676208b170bf90d6c3d45dbe56e7fc86cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
72b5308119d8ebabaf36da6f42bacb1d

SHA1
5707b868778fbf5774c9ace84777d4a00ad83945

SHA256
28758dd4ce782e95cdcf1f121fc810b86ce9b75b4cee59dde6e5bf64815704da

SHA512
449a72da6b62ab95fb793d6c5761d28f924c8076baac29537318b2261852e180ade4a564d4ad8023b21be651636d04f57105df368a33154ad02bf90a0d9b0936

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c76acbc4c8411f4fcc421a9943ca029c

SHA1
adb9adce338497dca69f15628a4402dd983d3e13

SHA256
cfa4b841772a0c7e7f645b0badc9574c4f47d0770200233c041494a743f8dadd

SHA512
74704c2fb6372999d371189c034444020593fe06efbd2a5e96b41e3fa0f7b39f4e672be18058408d8086388064577fbd8cff8d17e0bd43f66ea1cb8dc511e44a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cd608701623d1413fe48732c7cdcd7fa

SHA1
0c85d04912992b445dde48da1a6eac606c3753d1

SHA256
925f835f5f3597d55cc0d516b3d515e143660e44493efff3344b829436ede0ea

SHA512
9c50144be687deab85d72d063c4496c22c0a9ab0992773e2c2f069131d3097714b100f25f2de02756259732908bdd4a04adb34e70fcb35f98388a878d7b1271a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
db3b30a8ae2dae2f423c26fed6bfb709

SHA1
48f486a94401e0c42c44297930c804c364a7dcd5

SHA256
18c2ca781ba875265b0e1e5e856b04953cfce42565131af85063db051d5264c3

SHA512
82715df927c62335b81d8d79d5f78ef868ae7b439b1eff5c192440a7c84c209f416c4016da1e8d81f3df925ab0f3429ba023c179f68cce4df56ea4a813cf1439

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4a4917f82822f031596c2f22697e1253

SHA1
e552a160164f03635218e378402b34a80f6f5f7e

SHA256
a32f8f0d207248fa2e64249d03c2fc2df6f1e0eeda7491956c62cf1ab8cfd1e4

SHA512
df84cb967cf3d9a1dcf010e4dbf2b0debb32c023271c4557d0b7cadddd051a3d908ab96ce59a5196bc5b0409fa188a47f3f7e6e194412891b2ac3f5ed1944942

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
aa5e1133c37b466d9ddcf9b6d7b1f881

SHA1
c3ecaa47e05d653615db4c25db9fbe24670a0e45

SHA256
d4fb0f11b3a1242b93a8b36d02e3d3b356821f7ca1a150ffc09ae11393ef6fa3

SHA512
96b063328c993fde135cc84019b9695a960910096fccab75477c63613f0c984f1675900395d54c552bc72daba4221aacc4830a99b9f84910c8edab2f94630336

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e155c4ab6afa1cfd5fac1bccd597dd49

SHA1
e8af234db5fa1c84a7e783d3bc2a53c1e5f89d9a

SHA256
38125256fbcfbebb2e46e6a38897f092f03ad927a29c59a9bdc9ca7876b46f9c

SHA512
7434e1e6a2dc664b40bce5e69c2a83d3caf6e52d12ddb5b32c580e62f4f9efb5482cdf5b5af4cfe78607bd87e67f9a8782fc1721551cf5c06fdaf00327e1e9db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1d70ca1fd900017c748aaf7a51b09891

SHA1
3e992ac1c9a2d043b2091495b094f0997b1e4c88

SHA256
daf592f660853cbb2562e04a6e18d295ad70d972f9accae9bd52a0203722b45c

SHA512
418529e81f7705aae43cc3a565cd48058e062f3253efb1cea743492ac1e4c65ea0172bcc3fce718d3c31cb3fdb82c2f252dd22859438e4576c2ecc07437add48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3a7ac61c775bc831cef8027f73a3c477

SHA1
5550b4fc4d7c41a197c88d589590395e67559023

SHA256
5aade616458fc49bb91963ffc82c6eef02ce0fc8be423fae405e46e22495b80a

SHA512
f27127c0141a3a7ed4c81e62bb7b9f2cd0dbf80e345b7d544287887a3e47c38c0dc8ce669d01694e0cef8791675ecbb0f046b22aea59e31e777aa77fe7e30417

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
91b4deee0c118df54c329bc5855c8163

SHA1
811700108fb33b6ab7c00f1d444d4fc8bcc27abc

SHA256
cad1af446068103231f4258c8bfda3f3f2fb4b919d356c29cae901717f67a7e3

SHA512
c260c704fc37c2c1daa9d89abceb3b1a8196880d09c508fe3f28aa918fa770dbe1621023be806cb316680e271b77fbc9d7ab8bf3a52eb4c5e460c50ace2b23fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
818affa634eca688fa47ff70c3c213c6

SHA1
64816ffe2bee03ebb39d64bdf1f9b8a69c4714d9

SHA256
65977fb529d21d7c7089d63df1c66e3ca316c631489055d31cf573fa0383de39

SHA512
d85e60f815e9a58a1749c9c684308ed3bc6a82cfeffdee71e992eb53f6cabbd8eea79ca65fcd42ebb7cd55985a1e4034f16a6043e8bf26b43041e9c7880d8d95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A36A4041-1BEC-11EF-888E-CA4C2FB69A12}.dat
Filesize
5KB

MD5
a9d4abb050e19d5284963f90603c5625

SHA1
24e5c6bd6168f290d7884bd83e01beb01e5ab4ce

SHA256
42f2698472c464785033a980bb309fd74359c50c45038104fb641dabaf5a6364

SHA512
d38a06fb0262d42f051279b70dfcf75f8fc1540e9bb115cbd8864a04d5a47293662f79796973047664d473f3c7cc10c50d33536ff86b0672d92dedef94b9f84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD79.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEA7.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\MRINFO.lnk
Filesize
1KB

MD5
d0c3c283ac2441907bf6462f3d712d58

SHA1
e5f7176d7e72cd6aade230a6afb62e6595b51470

SHA256
c9fdb0f74e40e1a896da2f659919d0c30e49226bbf08551aa33ee6680e571345

SHA512
57e813ce4708088d7f4e9627b045c7cfc0c856b873d51b78cee58484d395db70801422119279ff5bee601df37a5490f7561b6e2bb897a8b49929c0beaa49fe99

Download Submit
\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\MRINFO.EXE
Filesize
177KB

MD5
4612fbda398e6d7570975a3b122849d8

SHA1
0b044922439de8838eb6c0dcf604c47dd36dd4dd

SHA256
d7401acbe93358af3649a47f80a178df497f699d8d430b8400b008dec894b1b9

SHA512
5f3f223067e4cb5c40b5ded590b877d6644762f5c4ffd14414ad9430721b8418a674b3e74ba7d5fa3e7339c4a73f2eca27370c1f2de51641e721f4f22a15d803

Download Submit
memory/1328-1064-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1480-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1724-2-0x0000000000230000-0x000000000024F000-memory.dmp

Filesize
124KB

Download
memory/1724-3-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1724-4-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1724-5-0x0000000000401000-0x0000000000413000-memory.dmp

Filesize
72KB

Download
memory/1724-21-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1724-1-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1724-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-1066-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-463-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-451-0x0000000004540000-0x0000000004542000-memory.dmp

Filesize
8KB

Download
memory/1992-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-25-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-22-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/1992-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download