File name:	202405274612fbda398e6d7570975a3b122849d8cerber.exe
Full analysis:	https://app.any.run/tasks/ea6d22ce-12ad-481a-9dd8-e346e7790d67
Verdict:	Malicious activity
Threats:	Cerber is a Ransomware-as-a-Service (RaaS) that appeared in 2016, spread quickly and has been evolving since. It became well-known for its file encryption, offline capabilities, and sophisticated evasion techniques. It primarily targets enterprises, financial institutions, and government entities, encrypting their data and demanding ransom payments in Bitcoin. It also targets everyday users encrypting personal files (photos, documents) with the risk of their permanent loss. Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 20:03:54
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-startup auto-reg cerber ransomware evasion possible-phishing phish-url
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	4612FBDA398E6D7570975A3B122849D8
SHA1:	0B044922439DE8838EB6C0DCF604C47DD36DD4DD
SHA256:	D7401ACBE93358AF3649A47F80A178DF497F699D8D430B8400B008DEC894B1B9
SSDEEP:	6144:gjOJQDMwfkHF1qUHyvBKF8+nRbNjb2s/jF9Ev:gBfkl1q2yv4F8+nRJX2H

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2016:05:30 07:36:51+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	150016
InitializedDataSize:	30720
UninitializedDataSize:	-
EntryPoint:	0x52b0
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	3.2.3.51
ProductVersionNumber:	3.2.3.51
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Russian
CharacterSet:	Unicode
Comments:	Выгрузчик Punto Switcher
CompanyName:	О ОО Яндекс
FileDescription:	Выгрузчик Punto Switcher
FileVersion:	3.2.3.51
InternalName:	Punto Switcher Unloader
LegalCopyright:	Copyright 2008-2011 ООО Яндекс
LegalTrademarks:	Punto Switcher
OriginalFileName:	puntounloader.exe
ProductName:	Punto Switcher
ProductVersion:	3.2.3.51


(PID) Process:	(1068) 202405274612fbda398e6d7570975a3b122849d8cerber.exe	Key:	HKEY_CURRENT_USER\Printers\Defaults\{4300906E-252F-DD84-8300-59D7201E9E37}
Operation:	write	Name:	Component_01
Value: 424E4B714A706836377168424B7A642F4A6434497A78655A434571714B653871534942516F6C773766397464314235756B7451444A46556D71314C63356B45364E6C31415747323031464561745345364379674762354A6F4A575576526B726635712B564C30577A46777069714E4B774538667A4444384E584D6A6676392B4C6D5371375458754C576E447A396531656A3764654A41324758374B2F6863516E3042484B7236566A5968373863564B4F4D496677655A3276684F736E4876586474667277734E2B4D3651683145634A674A6C4F486D6B5072733361695346462B72647561596B7072786E6961786C48585A6654527352664F505A53762B64535372365332526275753530464F4A6C716C6676624E70445A497A36783475557A49443065445653686E43704D79636C4B50317A6373517761496236374D326D6C52304A65305935544A683258572F4662453663324447673D3D
(PID) Process:	(1068) 202405274612fbda398e6d7570975a3b122849d8cerber.exe	Key:	HKEY_CURRENT_USER\Printers\Defaults\{4300906E-252F-DD84-8300-59D7201E9E37}
Operation:	write	Name:	Component_00
Value: 9A04010126D2D6504002000001000000D4B20F5167B5FD37B3287D35600AFDD93BAB57AB00B2E719AF8F619FAACD8FC67B2BD0EAEAD81610EA254AF559FAC7081212A12ABA561F5964D63508E62207114C8F1A818ED9FD77000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010001
(PID) Process:	(1068) 202405274612fbda398e6d7570975a3b122849d8cerber.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	dtdump
Value: "C:\Users\admin\AppData\Roaming\{CF9A297B-AC74-EC8E-5C44-DEEA0D4DAE71}\dtdump.exe"
(PID) Process:	(1068) 202405274612fbda398e6d7570975a3b122849d8cerber.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:	write	Name:	dtdump
Value: "C:\Users\admin\AppData\Roaming\{CF9A297B-AC74-EC8E-5C44-DEEA0D4DAE71}\dtdump.exe"
(PID) Process:	(1068) 202405274612fbda398e6d7570975a3b122849d8cerber.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Command Processor
Operation:	write	Name:	AutoRun
Value: "C:\Users\admin\AppData\Roaming\{CF9A297B-AC74-EC8E-5C44-DEEA0D4DAE71}\dtdump.exe"
(PID) Process:	(1068) 202405274612fbda398e6d7570975a3b122849d8cerber.exe	Key:	HKEY_CURRENT_USER\Control Panel\Desktop
Operation:	write	Name:	SCRNSAVE.EXE
Value: "C:\Users\admin\AppData\Roaming\{CF9A297B-AC74-EC8E-5C44-DEEA0D4DAE71}\dtdump.exe"
(PID) Process:	(3092) dtdump.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3092) dtdump.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(3092) dtdump.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(3092) dtdump.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0

PID	Process	Filename		Type
6636	dtdump.exe	C:\Users\admin\Documents\# DECRYPT MY FILES #.html		html
		MD5:0B1E9666E65DED8695506891D39E1AA9	SHA256:BC9E07DCF1DE73C5E2CF1CA6E1DA29A6D271433E532D09791757B7AE14A0F516
6636	dtdump.exe	C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.xml		binary
		MD5:3E0CE8071E9BFD447787F04F7C1718E8	SHA256:616A4E3B67177333E58371310CD9F6550669DD012CD4AF95E4B6102A298B309A
6636	dtdump.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\json[1].json		binary
		MD5:1392DA3C9826D1020E5C00625394F223	SHA256:4488827F93282D80B6A4E6053FDD9C181620E3F0DF6189FC22FF057D0A79FA44
1068	202405274612fbda398e6d7570975a3b122849d8cerber.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dtdump.lnk		binary
		MD5:A4190682F8B0A4E3DE64B05C50C9FC16	SHA256:5D2FCB725027FF741D86D361DE699FA9030A23D40FE82A0D6973E22CB1B0B606
6636	dtdump.exe	C:\Users\admin\Documents\# DECRYPT MY FILES #.url		url
		MD5:9191906BD3CFA6CFC8595A10ED46962F	SHA256:6736B51224F5A8D8545C1682DC1965BAB571CB64C972D10458E585112887232E
6636	dtdump.exe	C:\Users\admin\AppData\Roaming\Microsoft\Outlook\# DECRYPT MY FILES #.html		html
		MD5:0B1E9666E65DED8695506891D39E1AA9	SHA256:BC9E07DCF1DE73C5E2CF1CA6E1DA29A6D271433E532D09791757B7AE14A0F516
6636	dtdump.exe	C:\Users\admin\Documents\Q41bX72czZ.cerber		binary
		MD5:EFD12D9211BF3671E4C32FB41BD52F77	SHA256:977AD5ABEA2FBEA2C35FBE6BE7CFA38CC36DD5B1983BA68C529800D108C81899
1068	202405274612fbda398e6d7570975a3b122849d8cerber.exe	C:\Users\admin\AppData\Roaming\{CF9A297B-AC74-EC8E-5C44-DEEA0D4DAE71}\dtdump.exe		executable
		MD5:4612FBDA398E6D7570975A3B122849D8	SHA256:D7401ACBE93358AF3649A47F80A178DF497F699D8D430B8400B008DEC894B1B9
6636	dtdump.exe	C:\Users\admin\AppData\Roaming\Microsoft\Outlook\hddfCLqUjW.cerber		binary
		MD5:3E0CE8071E9BFD447787F04F7C1718E8	SHA256:616A4E3B67177333E58371310CD9F6550669DD012CD4AF95E4B6102A298B309A
6636	dtdump.exe	C:\Users\admin\Documents\# DECRYPT MY FILES #.txt		text
		MD5:FBD9692354D7F91F7FBC4062106DEF76	SHA256:EB6023BBB5BEAEB621E177A0BDE1DDCBB5626F02A6AB824B1BB106C9E05FDD96

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1688	RUXIMICS.exe	GET	200	184.25.50.8:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	184.25.50.8:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	200	40.126.31.131:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
6636	dtdump.exe	GET	200	34.117.59.81:80	http://ipinfo.io/json	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	184.25.50.8:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1688	RUXIMICS.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	40.126.31.3:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted
—	—	POST	400	40.126.31.131:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
1268	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1688	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	184.25.50.8:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	184.25.50.8:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1688	RUXIMICS.exe	184.25.50.8:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
5944	MoUsoCoreWorker.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.124.78.146	whitelisted
google.com	142.250.186.78	whitelisted
crl.microsoft.com	184.25.50.8 184.25.50.10 23.53.40.176 23.53.40.178	whitelisted
www.microsoft.com	2.23.246.101 23.35.229.160	whitelisted
login.live.com	20.190.160.66 40.126.32.76 40.126.32.74 20.190.160.4 20.190.160.64 20.190.160.5 20.190.160.131 40.126.32.140	whitelisted
ipinfo.io	34.117.59.81	whitelisted
nexusrules.officeapps.live.com	52.111.243.29	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.249	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted

PID	Process	Class	Message
2200	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
6636	dtdump.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ipinfo.io

General Info

202405274612fbda398e6d7570975a3b122849d8cerber.exe

4612FBDA398E6D7570975A3B122849D8

0B044922439DE8838EB6C0DCF604C47DD36DD4DD

D7401ACBE93358AF3649A47F80A178DF497F699D8D430B8400B008DEC894B1B9

6144:gjOJQDMwfkHF1qUHyvBKF8+nRbNjb2s/jF9Ev:gBfkl1q2yv4F8+nRJX2H

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

CERBER mutex has been found

Changes the autorun value in the registry

The process uses screensaver hijack for persistence

Starts CMD.EXE for self-deleting

Deletes shadow copies

RANSOMWARE has been detected

Create files in the Startup directory

SUSPICIOUS

Starts itself from another location

Hides command output

Starts CMD.EXE for commands execution

Uses TASKKILL.EXE to kill process

Reads security settings of Internet Explorer

The executable file from the user directory is run by the CMD process

Runs PING.EXE to delay simulation

Executes as Windows Service

Checks for external IP

There is functionality for taking screenshot (YARA)

Creates file in the systems drive root

Possibly a phishing URL contains email has been detected

Start notepad (likely ransomware note)

The process executes VB scripts

Executable content was dropped or overwritten

INFO

Creates files or folders in the user directory

The sample compiled with russian language support

Reads the computer name

Checks supported languages

Process checks whether UAC notifications are on

Process checks computer location settings

Launching a file from a Registry key

Reads security settings of Internet Explorer

Checks proxy server information

Manual execution by a user

Application launched itself

Reads Environment values

Reads the machine GUID from the registry

Launching a file from the Startup directory

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information