Overview

overview

10

Static

static

3

Hatch-1.9.3.exe

windows10-2004-x64

10

Resubmissions

23-02-2024 12:12

240223-pdfnssga62 7

22-02-2024 20:44

240222-zjcjfafd56 7

22-02-2024 20:34

240222-zcklgafc76 10

Analysis

  • max time kernel
    298s
  • max time network
    302s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-02-2024 20:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Hatch-1.9.3.exe

  • Size

    26.1MB

  • MD5

    ee4299c7cd102c07e3e1995909a6e3d2

  • SHA1

    06023c8802d2ea919228be2caac7de7604f29cc5

  • SHA256

    184477c1255104df23974e459338c3b5c6364ff8fa70ebc81765a25762b39d19

  • SHA512

    aed814dbb14833ae06915a44ebc3019f97eb7078a7583c1d1b2245170f672d70c8d411813b0ee1c73f0f32e2e54bba038f57cfbf60c95c46dceac669a30ef0ed

  • SSDEEP

    786432:hqpXhwkzW6IivTQ3ZQj0zkhGxdgl2PHMeAB1i:gpXhLzW61vcGwxdgl2PH1M1i

Score
10/10
cerberdiscoveryevasionpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___1NY6Q32_.txt

Family

cerber

Ransom Note
CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/8D68-7871-92AF-0446-9278 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/8D68-7871-92AF-0446-9278 2. http://p27dokhpz2n7nvgr.14ewqv.top/8D68-7871-92AF-0446-9278 3. http://p27dokhpz2n7nvgr.14vvrc.top/8D68-7871-92AF-0446-9278 4. http://p27dokhpz2n7nvgr.129p1t.top/8D68-7871-92AF-0446-9278 5. http://p27dokhpz2n7nvgr.1apgrn.top/8D68-7871-92AF-0446-9278 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://p27dokhpz2n7nvgr.onion/8D68-7871-92AF-0446-9278

http://p27dokhpz2n7nvgr.12hygy.top/8D68-7871-92AF-0446-9278

http://p27dokhpz2n7nvgr.14ewqv.top/8D68-7871-92AF-0446-9278

http://p27dokhpz2n7nvgr.14vvrc.top/8D68-7871-92AF-0446-9278

http://p27dokhpz2n7nvgr.129p1t.top/8D68-7871-92AF-0446-9278

http://p27dokhpz2n7nvgr.1apgrn.top/8D68-7871-92AF-0446-9278

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___KTLH_.hta

Family

cerber

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>C&#069;&#82;BE&#82; &#82;ANSOMWA&#82;&#069;: Instructi&#111;ns</title> <HTA:APPLICATION APPLICATIONNAME="IEu4uO3b" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">&#9745; English</a> <h1>C&#069;&#82;BE&#82; &#82;ANSOMWA&#82;&#069;</h1> <small id="title">Instructions</small> </div> <div id="languages"> <p>&#9745; Select your language</p> <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> <p>Can't yo<span class="h">pAWd1vKmzO</span>u find the necessary files?<br>Is the c<span class="h">a</span>ontent of your files not readable?</p> <p>It is normal be<span class="h">Y42YbwV98</span>cause the files' names and the data in your files have been encryp<span class="h">pl1Qh</span>ted by "Ce<span class="h">o9drHRdrBX</span>r&#98;er&nbsp;Rans&#111;mware".</p> <p>It me<span class="h">sbl</span>ans your files are NOT damage<span class="h">NREVm4By</span>d! Your files are modified only. This modification is reversible.<br>F<span class="h">TgX</span>rom now it is not poss<span class="h">Mg8mS49</span>ible to use your files until they will be decrypted.</p> <p>The only way to dec<span class="h">DjO</span>rypt your files safely is to &#98;uy the special decryption software "C<span class="h">K</span>er&#98;er&nbsp;Decryptor".</p> <p>Any attempts to rest<span class="h">CX7CMdCbo</span>ore your files with the thir<span class="h">TpOU</span>d-party software will be fatal for your files!</p> <hr> <p class="w331208">You can proc<span class="h">7OXw9Z</span>eed with purchasing of the decryption softw<span class="h">vEwV</span>are at your personal page:</p> <p><span class="info"><span class="updating">Ple<span class="h">oeKZEX</span>ase wait...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/8D68-7871-92AF-0446-9278" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/8D68-7871-92AF-0446-9278</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/8D68-7871-92AF-0446-9278" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/8D68-7871-92AF-0446-9278</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/8D68-7871-92AF-0446-9278" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/8D68-7871-92AF-0446-9278</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/8D68-7871-92AF-0446-9278" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/8D68-7871-92AF-0446-9278</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/8D68-7871-92AF-0446-9278" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/8D68-7871-92AF-0446-9278</a></span></p> <p>If t<span class="h">AvSQ9</span>his page cannot be opened &nbsp;<span class="button" onclick="return _url_upd_('en');">cli<span class="h">Cdq</span>ck here</span>&nbsp; to get a new addr<span class="h">uTM92WC</span>ess of your personal page.<br><br>If the addre<span class="h">YYKViLFiZ7</span>ss of your personal page is the same as befo<span class="h">LLpyD</span>re after you tried to get a new one,<br>you c<span class="h">310t9</span>an try to get a new address in one hour.</p> <p>At th<span class="h">mPhhy</span>is p&#097;ge you will receive the complete instr<span class="h">ZmwyDNlI</span>uctions how to buy the decrypti<span class="h">y5kR1cBOZ3</span>on software for restoring all your files.</p> <p>Also at this p&#097;ge you will be able to res<span class="h">6D</span>tore any one file for free to be sure "Cer&#98;e<span class="h">domk5vu2</span>r&nbsp;Decryptor" will help you.</p> <hr> <p>If your per<span class="h">PLF</span>sonal page is not availa<span class="h">e05Ipw6iw</span>ble for a long period there is another way to open your personal page - insta<span class="h">1lgN9W</span>llation and use of Tor&nbsp;Browser:</p> <ol> <li>run your Inte<span class="h">ljI6uTAf</span>rnet browser (if you do not know wh&#097;t it is run the Internet&nbsp;Explorer);</li> <li>ent<span class="h">Q</span>er or copy the &#097;ddress <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/downlo&#097;d/download-easy.html.en</a> into the address bar of your browser &#097;nd press ENTER;</li> <li>wait for the site load<span class="h">If7</span>ing;</li> <li>on the site you will be offered to do<span class="h">MiJ6NQ9</span>wnload Tor&nbsp;Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ru<span class="h">K</span>n Tor&nbsp;Browser;</li> <li>connect with the butt<span class="h">3MAW</span>on "Connect" (if you use the English version);</li> <li>a normal Internet bro<span class="h">7fI</span>wser window will be opened &#097;fter the initialization;</li> <li>type or copy the add<span class="h">VHZoDPz</span>ress <br><span class="info">http://p27dokhpz2n7nvgr.onion/8D68-7871-92AF-0446-9278</span><br> in this browser address bar;</li> <li>pre<span class="h">roMp7bc6ON</span>ss ENTER;</li> <li>the site sho<span class="h">2htMBIN1gf</span>uld be loaded; if for some reason the site is not lo<span class="h">xrDfu8Uit</span>ading wait for a moment and try again.</li> </ol> <p>If you have any pr<span class="h">Xhtlv</span>oblems during installation or use of Tor&nbsp;Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searc<span class="h">hNUmJ</span>h bar "Install Tor&nbsp;Browser Windows" and you will find a lot of training videos about Tor&nbsp;Browser installation and use.</p> <hr> <p><strong>Addit<span class="h">x</span>ional information:</strong></p> <p>You will fi<span class="h">x84DxyuIeA</span>nd the instru<span class="h">ILiCS</span>cti&#111;ns ("*_READ_THIS_FILE_*.hta") for re<span class="h">qBDZhcEIPn</span>st&#111;ring y&#111;ur files in &#097;ny f<span class="h">bEo8a4yj1</span>&#111;lder with your enc<span class="h">3vqfYiW</span>rypted files.</p> <p>The instr<span class="h">LPiWmkzuUb</span>ucti&#111;ns "*_READ_THIS_FILE_*.hta" in the f<span class="h">0m09EmdYG</span>&#111;lder<span class="h">t9NJ</span>s with your encry<span class="h">GVieWQ7</span>pted files are not vir<span class="h">Sof26BOO</span>uses! The instruc<span class="h">vO</span>tions "*_READ_THIS_FILE_*.hta" will he<span class="h">xyn</span>lp you to dec<span class="h">9WFlgEX3s</span>rypt your files.</p> <p>Remembe<span class="h">TCWbY</span>r! The w&#111;rst si<span class="h">GMBa1QWNU</span>tu&#097;tion already happ<span class="h">rtTIBUk4JP</span>ened and n&#111;w the future of your files de<span class="h">CDrfyR</span>pends on your determ<span class="h">rNlbDUl</span>ination and speed of your actions.</p> </div> <div id="ar" style="direction: rtl;"> <p>لا يمكنك العثور على الملفات الضرورية؟<br>هل محتوى الملفات غير قابل للقراءة؟</p> <p>هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cer&#98;er&nbsp;Rans&#111;mware".</p> <p>وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا.<br>ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها.</p> <p>الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cer&#98;er&nbsp;Decryptor".</p> <p>إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك!</p> <hr> <p>يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية:</p> <p><span class="info"><span class="updating">أرجو الإنتظار...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/8D68-7871-92AF-0446-9278" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/8D68-7871-92AF-0446-9278</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/8D68-7871-92AF-0446-9278" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/8D68-7871-92AF-0446-9278</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/8D68-7871-92AF-0446-9278" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/8D68-7871-92AF-0446-9278</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/8D68-7871-92AF-0446-9278" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/8D68-7871-92AF-0446-9278</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/8D68-7871-92AF-0446-9278" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/8D68-7871-92AF-0446-9278</a></span></p> <p>في حالة تعذر فتح هذه الصفحة &nbsp;<span class="button" onclick="return _url_upd_('ar');">انقر هنا</span>&nbsp; لإنشاء عنوان جديد لصفحتك الشخصية.</p> <p>في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك.</p> <p>في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cer&#98;er&nbsp;Decryptor" سوف يساعدك.</p> <hr> <p>إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor:</p> <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان <br><span class="info">http://p27dokhpz2n7nvgr.onion/8D68-7871-92AF-0446-9278</span><br> في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> <p>إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه.</p> <hr> <p><strong>معلومات إض<span class="h">LyGGZ</span>افية:</strong></p> <p>س<span class="h">1zyVVBa</span>وف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة.</p> <p>الإرش<span class="h">U1vXb8x</span>ادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك.</p> <p>تذكر أن أسوأ مو<span class="h">496T44mb</span>قف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك.</p> </div> <div id="zh"> <p>您找不到所需的文件?<br>您文件的内容无法阅读?</p> <p>这是正常的,因为您文件的文件名和数据已经被“Cer&#98;er&nbsp;Rans&#111;mware”加密了。</p> <p>这意味着您的文件并没

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Contacts a large (1124) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 24 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 8 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 45 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Hatch-1.9.3.exe
    "C:\Users\Admin\AppData\Local\Temp\Hatch-1.9.3.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3760
    • C:\Windows\Temp\{30F0AA91-3EC2-40AF-B2B5-7BC46F94B899}\.cr\Hatch-1.9.3.exe
      "C:\Windows\Temp\{30F0AA91-3EC2-40AF-B2B5-7BC46F94B899}\.cr\Hatch-1.9.3.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\Hatch-1.9.3.exe" -burn.filehandle.attached=556 -burn.filehandle.self=536
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Windows\Temp\{3FA50BAB-17DA-4F12-B0C3-989474D0CE56}\.be\Hatch-1.9.3.exe
        "C:\Windows\Temp\{3FA50BAB-17DA-4F12-B0C3-989474D0CE56}\.be\Hatch-1.9.3.exe" -q -burn.elevated BurnPipe.{B52557DE-6142-47D2-A6FF-4D5176360A33} {4B933648-F4B7-4C2D-83E5-987FB66C37A4} 1804
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3320
        • C:\ProgramData\Package Cache\9ADE54D322BE27BFF05D5AFEC8ED44F9B2D9306E\VC_redist.x64.exe
          "C:\ProgramData\Package Cache\9ADE54D322BE27BFF05D5AFEC8ED44F9B2D9306E\VC_redist.x64.exe" /install /quiet /norestart
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3880
          • C:\Windows\Temp\{28D30F40-CA99-46B4-AE3B-A6F5DF94F93D}\.cr\VC_redist.x64.exe
            "C:\Windows\Temp\{28D30F40-CA99-46B4-AE3B-A6F5DF94F93D}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\9ADE54D322BE27BFF05D5AFEC8ED44F9B2D9306E\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 /install /quiet /norestart
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:8
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4404
  • C:\Windows\system32\srtasks.exe
    C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
    1⤵
      PID:840
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1568
    • C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe
      "C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe" /modify
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4912
      • C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe
        "C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe" -burn.clean.room="C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe" -burn.filehandle.attached=548 -burn.filehandle.self=568 /modify
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3244
        • C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe
          "C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe" -q -burn.elevated BurnPipe.{DAF695FB-7F79-4725-AE13-E1F79B43650F} {F779D179-5C7C-45B8-9E23-CDCE921022A7} 3244
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3200
          • C:\ProgramData\Package Cache\9ADE54D322BE27BFF05D5AFEC8ED44F9B2D9306E\VC_redist.x64.exe
            "C:\ProgramData\Package Cache\9ADE54D322BE27BFF05D5AFEC8ED44F9B2D9306E\VC_redist.x64.exe" /install /quiet /norestart
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2080
            • C:\Windows\Temp\{99A6085B-2E96-4689-A5C9-409293AC2351}\.cr\VC_redist.x64.exe
              "C:\Windows\Temp\{99A6085B-2E96-4689-A5C9-409293AC2351}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\9ADE54D322BE27BFF05D5AFEC8ED44F9B2D9306E\VC_redist.x64.exe" -burn.filehandle.attached=580 -burn.filehandle.self=488 /install /quiet /norestart
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:3020
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /0
      1⤵
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1776
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1004
      • C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe
        "C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3276
        • C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe
          "C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe" -burn.clean.room="C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe" -burn.filehandle.attached=528 -burn.filehandle.self=536
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:3132
      • C:\Windows\system32\mspaint.exe
        "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\UpdateReset.bmp"
        1⤵
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:4376
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
        1⤵
          PID:3016
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
          1⤵
          • Enumerates system info in registry
          • Modifies registry class
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of WriteProcessMemory
          PID:3132
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9074146f8,0x7ff907414708,0x7ff907414718
            2⤵
              PID:2456
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
              2⤵
                PID:1488
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
                2⤵
                  PID:228
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
                  2⤵
                    PID:2380
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
                    2⤵
                      PID:4952
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
                      2⤵
                        PID:3456
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
                        2⤵
                          PID:2940
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:1
                          2⤵
                            PID:4208
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 /prefetch:8
                            2⤵
                              PID:3740
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 /prefetch:8
                              2⤵
                                PID:4788
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
                                2⤵
                                  PID:4680
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
                                  2⤵
                                    PID:936
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
                                    2⤵
                                      PID:2248
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
                                      2⤵
                                        PID:3880
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5824 /prefetch:8
                                        2⤵
                                          PID:5084
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5836 /prefetch:8
                                          2⤵
                                          • Modifies registry class
                                          PID:2672
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2416 /prefetch:1
                                          2⤵
                                            PID:1372
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
                                            2⤵
                                              PID:608
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5708 /prefetch:8
                                              2⤵
                                                PID:2992
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
                                                2⤵
                                                  PID:4180
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
                                                  2⤵
                                                    PID:3296
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
                                                    2⤵
                                                      PID:4604
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
                                                      2⤵
                                                        PID:2056
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:8
                                                        2⤵
                                                          PID:5668
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:1
                                                          2⤵
                                                            PID:5836
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2764 /prefetch:2
                                                            2⤵
                                                              PID:4772
                                                          • C:\Windows\System32\CompPkgSrv.exe
                                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                            1⤵
                                                              PID:3976
                                                            • C:\Windows\System32\CompPkgSrv.exe
                                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                              1⤵
                                                                PID:968
                                                              • C:\Users\Admin\Desktop\cerber.exe
                                                                "C:\Users\Admin\Desktop\cerber.exe"
                                                                1⤵
                                                                • Drops startup file
                                                                • Drops file in System32 directory
                                                                • Sets desktop wallpaper using registry
                                                                • Drops file in Program Files directory
                                                                • Drops file in Windows directory
                                                                • Modifies registry class
                                                                PID:5808
                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
                                                                  2⤵
                                                                  • Modifies Windows Firewall
                                                                  PID:5832
                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                  C:\Windows\system32\netsh.exe advfirewall reset
                                                                  2⤵
                                                                  • Modifies Windows Firewall
                                                                  PID:6036
                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___S7FH_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                                  2⤵
                                                                    PID:5756
                                                                  • C:\Windows\SysWOW64\NOTEPAD.EXE
                                                                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___CURMT32P_.txt
                                                                    2⤵
                                                                    • Opens file in notepad (likely ransom note)
                                                                    PID:1960
                                                                • C:\Users\Admin\Desktop\cerber.exe
                                                                  "C:\Users\Admin\Desktop\cerber.exe"
                                                                  1⤵
                                                                    PID:3796
                                                                  • C:\Users\Admin\Desktop\cerber.exe
                                                                    "C:\Users\Admin\Desktop\cerber.exe"
                                                                    1⤵
                                                                      PID:6056
                                                                    • C:\Users\Admin\Desktop\cerber.exe
                                                                      "C:\Users\Admin\Desktop\cerber.exe"
                                                                      1⤵
                                                                        PID:2732
                                                                      • C:\Users\Admin\Desktop\cerber.exe
                                                                        "C:\Users\Admin\Desktop\cerber.exe"
                                                                        1⤵
                                                                          PID:5348

                                                                        Network

                                                                        MITRE ATT&CK Enterprise v15

                                                                        Replay Monitor

                                                                        Loading Replay Monitor...

                                                                        Downloads

                                                                        • C:\Config.Msi\e577c26.rbs
                                                                          Filesize

                                                                          8KB

                                                                          MD5

                                                                          e48e8b43cb7045f2bf6b6c3c1973bc3b

                                                                          SHA1

                                                                          80dc2a2ca743b1988fa67d610a9a212fc47d9bd7

                                                                          SHA256

                                                                          5b9fe254475ce973e9a220b8d0ee597980bd6da25278d2f58cf1922f825231d5

                                                                          SHA512

                                                                          5cffcd6acfb1b7dff7d36e74ecdd822fe633b4646287286f5eba3e79cead35ad5478e0a571dcfe34ff60d89b4f0cd4621d1f123d08922a6711c0895256cd1cf1

                                                                          Download Submit
                                                                        • C:\Config.Msi\e577c2a.rbs
                                                                          Filesize

                                                                          6KB

                                                                          MD5

                                                                          b8ca71e35127f85db5e87e8bb554497d

                                                                          SHA1

                                                                          7f7d33326502158bb5703e677132c97510f23426

                                                                          SHA256

                                                                          43f5f79aebacdab502dabd5ee96b34a11744a3575095faa4ef3963f438397a4e

                                                                          SHA512

                                                                          824a4c02e16e70baab3b4e13abb330631e38e0a4c57b6c474414e769cac2e1d1035fc78058283d7e8bf7ac905867498368d81072abcd383981bd5cb2cc0ebace

                                                                          Download Submit
                                                                        • C:\Program Files\Hatch\LicenseFile
                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          74401bb59d6d0e179cb820f588416fca

                                                                          SHA1

                                                                          c4c201ce31066a35e7cb997a04fb4dc23ecb87fa

                                                                          SHA256

                                                                          15d9f75684e8c6571ae6714517fe453b21de6d3a07b1546dc8813bc7469a3ca6

                                                                          SHA512

                                                                          869bdad076f6f4b46ac3f6ee03ef52628cfbbf70542dbbc2bc66ca393dd37bad248da5b83f8ea7438791c8220f2e32e5c8a63c5370eecb717ce6efd6e29167bc

                                                                          Download Submit
                                                                        • C:\Program Files\Hatch\hatch.exe
                                                                          Filesize

                                                                          3.8MB

                                                                          MD5

                                                                          3d81dba29c92788fec342ff529acd0da

                                                                          SHA1

                                                                          578a99d61f5850c6c030b6e1d3380bf814b27355

                                                                          SHA256

                                                                          14808357b9e4d1ccb14f6b0d559d8358b027a026bd7115641524704a2ccdfe20

                                                                          SHA512

                                                                          d9970dbdc9743cf299a598ee9c699238f9501f134830ba1d486ba83ab64f65a2a071dd2479f71f6ae05997cc0eae554aa2530479f5272ff386e87acaea738061

                                                                          Download Submit
                                                                        • C:\ProgramData\Package Cache\9ADE54D322BE27BFF05D5AFEC8ED44F9B2D9306E\VC_redist.x64.exe
                                                                          Filesize

                                                                          10.7MB

                                                                          MD5

                                                                          2d3c26482e00ccf22fcca0d1792a81ae

                                                                          SHA1

                                                                          28f9fc392f4b16cfb1997f0745f3e23fa5a96404

                                                                          SHA256

                                                                          827f00e0b8e109d62a42309578c2eb184bec6ae6e4e5a5d16599641ff5a385a2

                                                                          SHA512

                                                                          b9b60331ba05ac3c65a745c7023ab0c9f59796cd9eedbf48cf2a8025642516045d71591cf8a59cd2186d4faee9fedc20b3757c188604fd6753d03525d41bb211

                                                                          Download Submit
                                                                        • C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\state.rsm
                                                                          Filesize

                                                                          786B

                                                                          MD5

                                                                          980f3123ad0f4ed88580f9410106b812

                                                                          SHA1

                                                                          1a7f46962b65b253fef4a33eb5821a7838f88f41

                                                                          SHA256

                                                                          92b06afe90387b72b08b6348798e666273e3ad05b1f792baeba3258db00effbf

                                                                          SHA512

                                                                          f38ccf262cbae7d6a94d281b4c3d03c23eee84fd2ac50fc338fe213861e72c57302425b22b8adb527bc399e8a83c3b6adee2475c459a7a8839414cf0f8bb3f07

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                          Filesize

                                                                          152B

                                                                          MD5

                                                                          d4c957a0a66b47d997435ead0940becf

                                                                          SHA1

                                                                          1aed2765dd971764b96455003851f8965e3ae07d

                                                                          SHA256

                                                                          53fa86fbddf4cdddab1f884c7937ba334fce81ddc59e9b2522fec2d19c7fc163

                                                                          SHA512

                                                                          19cd43e9756829911685916ce9ac8f0375f2f686bfffdf95a6259d8ee767d487151fc938e88b8aada5777364a313ad6b2af8bc1aa601c59f0163cbca7c108fbc

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                          Filesize

                                                                          152B

                                                                          MD5

                                                                          343e73b39eb89ceab25618efc0cd8c8c

                                                                          SHA1

                                                                          6a5c7dcfd4cd4088793de6a3966aa914a07faf4c

                                                                          SHA256

                                                                          6ea83db86f592a3416738a1f1de5db00cd0408b0de820256d09d9bee9e291223

                                                                          SHA512

                                                                          54f321405b91fe397b50597b80564cff3a4b7ccb9aaf47cdf832a0932f30a82ed034ca75a422506c7b609a95b2ed97db58d517089cd85e38187112525ca499cd

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c
                                                                          Filesize

                                                                          43KB

                                                                          MD5

                                                                          8d1ef1b5e990728dc58e4540990abb3c

                                                                          SHA1

                                                                          79528be717f3be27ac2ff928512f21044273de31

                                                                          SHA256

                                                                          3bdb20d0034f62ebaa1b4f32de53ea7b5fd1a631923439ab0a24a31bccde86d9

                                                                          SHA512

                                                                          cd425e0469fdba5e508d08100c2e533ef095eeacf068f16b508b3467684a784755b1944b55eb054bbd21201ba4ce6247f459cc414029c7b0eb44bdb58c33ff14

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d
                                                                          Filesize

                                                                          24KB

                                                                          MD5

                                                                          1deeafca9849f28c153a97f5070355d6

                                                                          SHA1

                                                                          03b46b765150a2f308353bcb9838cbdd4e28f893

                                                                          SHA256

                                                                          b1639f4ce0285c41f4bd666f3fae4767094e3042b0379646b5ccfe04ef01ec19

                                                                          SHA512

                                                                          52122b7e3ca9b58eab42fc652c24b4b8c17c43970f88860372d8377c49c540c31ddc81b519f4d59d34e199571758f82ab2fea0737ac1f847b3d4dd75d7acac19

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e
                                                                          Filesize

                                                                          49KB

                                                                          MD5

                                                                          4b4947c20d0989be322a003596b94bdc

                                                                          SHA1

                                                                          f24db7a83eb52ecbd99c35c2af513e85a5a06dda

                                                                          SHA256

                                                                          96f697d16fbe496e4575cd5f655c0edb07b3f737c2f03de8c9dda54e635b3180

                                                                          SHA512

                                                                          2a3443e18051b7c830517143482bf6bffd54725935e37ee58d6464fac52d3ce29c6a85fc842b306feaa49e424ba6086942fc3f0fea8bb28e7495070a38ce2e59

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017
                                                                          Filesize

                                                                          23KB

                                                                          MD5

                                                                          bc4836b104a72b46dcfc30b7164850f8

                                                                          SHA1

                                                                          390981a02ebaac911f5119d0fbca40838387b005

                                                                          SHA256

                                                                          0e0b0894faf2fc17d516cb2de5955e1f3ae4d5a8f149a5ab43c4e4c367a85929

                                                                          SHA512

                                                                          e96421dd2903edea7745971364f8913c2d6754138f516e97c758556a2c6a276ba198cdfa86eb26fe24a39259faff073d47ef995a82667fa7dee7b84f1c76c2b2

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                          Filesize

                                                                          4KB

                                                                          MD5

                                                                          d02335351b682a22e32913203a6f12d3

                                                                          SHA1

                                                                          d544040545062bb811252689fea24fda8cdd2450

                                                                          SHA256

                                                                          4460b45555b33b166ba41ae89210d488c6d19fc944cea4049ab1a749cbd2a016

                                                                          SHA512

                                                                          33c2d3b77b6459e09252cce5d296a0d3907362506c6a02844e966faebbc94a189d69e1589672f6d0e31512f721b470c7b080d83b47a8f8a69f2ce2ce95975881

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                          Filesize

                                                                          4KB

                                                                          MD5

                                                                          9f325524784a47af5c7eb373c7f78eb1

                                                                          SHA1

                                                                          89381bd7a5db0c55b2d2b597d0eeb26f5d9411a1

                                                                          SHA256

                                                                          e90ae2a496808c64444998f943cb6ee2ec555437c861603b0e4b881d76d702b4

                                                                          SHA512

                                                                          23465abd1f7bf97bf22f9fd999253c3ed10dd107be4d62cfaad6964dfefdf4bfeb0993851cff977554bdeee9955b4cd82db1635acf3c0562b1b0d71665a8c695

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                          Filesize

                                                                          1013B

                                                                          MD5

                                                                          4bc87710785d8522f47504664457cd63

                                                                          SHA1

                                                                          1e0c958a6864fc4cb59f18e4015a1510a2c84144

                                                                          SHA256

                                                                          81e341133b87ad7a248c69425d907b38fbdd7b89865a224ad64ccabe5f365976

                                                                          SHA512

                                                                          9c652e15c249b56ffc9b4b7b9e4526196174678559bf3f8b34da742b32cfa5cb1a5b9eb16526c27bb3aeb4866c66186f307c631fee55ce211a64e8dbfe3df299

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                          Filesize

                                                                          111B

                                                                          MD5

                                                                          285252a2f6327d41eab203dc2f402c67

                                                                          SHA1

                                                                          acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                                          SHA256

                                                                          5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                                          SHA512

                                                                          11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                          Filesize

                                                                          6KB

                                                                          MD5

                                                                          5cd47eff2e9f113a4c1ca01144a69a6c

                                                                          SHA1

                                                                          d662d728a33b9445c9cdaee024d0e15cd40b68f8

                                                                          SHA256

                                                                          46688dd9b2d85f721ec04c4daecfee3410fb16d312f88a3ce1b7addc77626a48

                                                                          SHA512

                                                                          e7307d329b436cffd5108088c5fdde914362a150037003d4cf6540d0c9f7fca9dc0599614244828e0c8f60f35efe17d234f44fd473a0ade4d622b7c39453a457

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                          Filesize

                                                                          7KB

                                                                          MD5

                                                                          b8d61ef7e83f5897b60284575e3a2f90

                                                                          SHA1

                                                                          304baa51d11f173e48c6dd30c4d46f3d94d3b94a

                                                                          SHA256

                                                                          7b4c555394940b4a22f6bb9c7beecc3644fb80c6f6f46b29d4d8ea36e7fb2378

                                                                          SHA512

                                                                          eb5db4fb3b2cf1d70d43328fec60639bf7263fcbd0922c0c2ca4b34db93f3ab19328266d4095cc53480c9a888b7ee42cfda117a8bfddade13a9281eaaa063646

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                          Filesize

                                                                          7KB

                                                                          MD5

                                                                          993cc8a4f7cf9954293a4d04cb67c0e6

                                                                          SHA1

                                                                          c5a4e534d6a8d571af983e6dec603b4dc354048c

                                                                          SHA256

                                                                          8c39d064cebd6cbbc7772028e87cf36c319da696c5da7ec82e7c69c90c3efad2

                                                                          SHA512

                                                                          1e176a1e3de5a4ac8f96a49ac9c52bda69121f29164736ed6d81cda8ea6224dff6a46505bc2c6053d1144a802815801a59adab89bbc9e993cfed9b12bec5f699

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                          Filesize

                                                                          7KB

                                                                          MD5

                                                                          6341d3d4e2dfc82a8811c984863f880e

                                                                          SHA1

                                                                          b3c81f13ba68be40f54fa52e595f9217343e0805

                                                                          SHA256

                                                                          dc5a282116ab6faed057c72e8606d514531ea7eb4a5841e277006a57d333d05f

                                                                          SHA512

                                                                          b76d80a0156682bff8c7aed22404fa56e953ebcc9a5032571166f8133ecd4639a4075436ce008866a2f7a4eb30176676ee39fd9d4d7b59f20fa025b639562a45

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                          Filesize

                                                                          7KB

                                                                          MD5

                                                                          a34dc07aa56e9cb769ece665b8e5337c

                                                                          SHA1

                                                                          317d9efd5c855a25d4343b8bc53153b78547bf03

                                                                          SHA256

                                                                          2f53180421affb4ef330875fb9da5f2bca5e40ca3e3697e6137755b146474c6c

                                                                          SHA512

                                                                          731a8307bc20379927eb3b5e97c89bc1e8732ed7c5fa60c6c55644f2f75ddb55b1e898d9a5d1059ab386a46f05bda637669a51ea12c281c6314760bce5d91ac2

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                          Filesize

                                                                          6KB

                                                                          MD5

                                                                          ebfdaecb9679b4397f98cc1a20be9183

                                                                          SHA1

                                                                          db1b8c106b19f8babc63e0532c8459d7ab807c01

                                                                          SHA256

                                                                          65c79c6a2744821b7bd2c9819c95e77f06de16b021eed663b11f1fcaf7e729e2

                                                                          SHA512

                                                                          fc316de69fd78a93e39db9a823d89b616db27e36b4c1b2b56a9a4785cb4aa409bd7704968f915128dff6b5dc0279bc2c621a6d36a06a87d06959693283b9f45f

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          cdbd72a43a1b61512e85c96ad6ca20d1

                                                                          SHA1

                                                                          7f318a55acf65b1f666974b56d164b4740c0e4f0

                                                                          SHA256

                                                                          cbe61aadb7f0cc0eee36f44f1a6adddd6afbc175affed90d8d4c864ef3fbfdfc

                                                                          SHA512

                                                                          2e4c3c4cf3c921b1f89f0e4a2e74376021912de380678a0c230b36cf691cd169f6859445f564fc294c6cba0b75f8df3154f6c56498cd52a390a0f7c679c21eac

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          444649d26d8ee302efbb1d315a9dfa81

                                                                          SHA1

                                                                          b8034c231ea3f26975299768c477113343914737

                                                                          SHA256

                                                                          430d545517600e57e352e98851e28733f1ae43d1c9421360f713821297a6eb9c

                                                                          SHA512

                                                                          fccafff3f27f74835217e5ba204c78f8a5aaef806758a31db34d9310b69b01085d98a11f431b95e7714d31da139cfb4ff569070f84306bc5dbb45d4894a9300a

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          8eb71ef83ba4a30f8fbd57def722712a

                                                                          SHA1

                                                                          4de41ba8427d0039955035c292c3863897143493

                                                                          SHA256

                                                                          1d7a556fc363a370554cc80d6837862e497bfce23b932eb196c583aad1c8fe7f

                                                                          SHA512

                                                                          804f451dc4c6bfd9bb6a9f3830b465400dffbc6c2ac25214b0c20a21d68fb1ff51a6d1a9cc9f44cb1a032b3e0dcde2135d01c6b9b0bc7b64509cfda61ba17fdb

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a80ca.TMP
                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          7e98fe3b341531d16d3f8f4931c923b7

                                                                          SHA1

                                                                          434c210a7123a740e13666c56cff23c5d081221f

                                                                          SHA256

                                                                          88ea2a40c426cc356ebf1dd3a13d6105574b419a2dc5dff8fa1d9fb86ff9f65b

                                                                          SHA512

                                                                          922bf68129c1eb212b4962cfad4d21eb86a813bc38794806a61df923c9f38bf27ecc1f90c50fbe43d15c390682239adf20b28a271dcd963a835e50dca5e9d84d

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                          Filesize

                                                                          16B

                                                                          MD5

                                                                          6752a1d65b201c13b62ea44016eb221f

                                                                          SHA1

                                                                          58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                          SHA256

                                                                          0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                          SHA512

                                                                          9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                          Filesize

                                                                          11KB

                                                                          MD5

                                                                          a38f6bcae5f3baf5c021282b1a44e365

                                                                          SHA1

                                                                          095a8a3ae27c5e02d432bc58c2c9f44021006c2f

                                                                          SHA256

                                                                          ff71b58f6e6f3754d7ee7a7b1af0b81696fcbf306f5f8172dc6de1d2ae4f8ce2

                                                                          SHA512

                                                                          4273b98fc58f4949f341a280209848ade0d7a095e00669f918c41b8143fd5d8d25d265d1bd3324405c2208abc3fab6827761d3fc6dda624d425fa216eb6e6267

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                          Filesize

                                                                          11KB

                                                                          MD5

                                                                          6ced1456e0cf6e16e283edc11acdc30b

                                                                          SHA1

                                                                          4187f5181237c02339feb6ddea88fc2d3fc1ad1f

                                                                          SHA256

                                                                          f1fd680875c59f41fb7b339aa9b0432e3d7c0d927c18ded0c6e504181f342111

                                                                          SHA512

                                                                          1a1afaf00fb43af4811170f05c24a6dbb1e1744e0aa5e553cad851fec42c5d995388e3c9e937d2424b0ddd5327802352ccd1388c9967fcd78152cb63d3da898b

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                          Filesize

                                                                          12KB

                                                                          MD5

                                                                          eb2818ec9232ab1e09140ec5eaccd2fb

                                                                          SHA1

                                                                          da41a2418d702ebb9fe792332e08898a3e139491

                                                                          SHA256

                                                                          2e61aab503e5125183df2782cff884c721372369218cd3039320251ef7319166

                                                                          SHA512

                                                                          45cc521c45a42e37810828295c3ef3757bb653afd04351ae69cc7b742a05e472ae631b47e553594022f00a3563cacf40632152f1edce177be3c84e661b7bde45

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___KTLH_.hta
                                                                          Filesize

                                                                          75KB

                                                                          MD5

                                                                          337ad1c10581978d9b132e8b4d8ccdd0

                                                                          SHA1

                                                                          ed6d6c24cb2fc86e5cfd8582c22b3bccd94e02a1

                                                                          SHA256

                                                                          b81d7715ff62303b30c7c785cf29ad98ec999a739cee1dd745ffb520fab4d7f9

                                                                          SHA512

                                                                          1d812f65a17482b55823f3b7eb13baf1d19bc92d8dd1244a6a99a450c73b37e2780f1fab950a92b7d1cfe1ab514a3179ccc3b12c62424ba54bd01b332dc7cfbe

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Temp\Hatch_20240222203440_001_Hatch_1.9.3_x64.msi.log
                                                                          Filesize

                                                                          45KB

                                                                          MD5

                                                                          ffb0abf5d2f812e6ff367fb7b42928a4

                                                                          SHA1

                                                                          2a57dcfe4148e76a97400ddd54aa457875f0df59

                                                                          SHA256

                                                                          257b0c059b2545d23813c7fd6a97a67208958a5de5d6284a7b7fdb5dbed688d2

                                                                          SHA512

                                                                          62a5cbe85a8f3427e510d8318cb95cfc049428eb02f3f84a436cc7309792963c817e9f9557720742c15914e24020bdda90c4f61e2d2a725bbc5d964377271d41

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Local\Temp\Hatch_20240222203555_001_Hatch_1.9.3_x64.msi.log
                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          2ffd11ad7b31ae8afe0bf7510eb76c2b

                                                                          SHA1

                                                                          e8325a014e8cc70a400ddb8b29665edde3e7a6da

                                                                          SHA256

                                                                          2d9db939e40f5f5148388baa86ecaea6ffe0ad8a109eb39c1235dbcfc085b543

                                                                          SHA512

                                                                          d249460648293fcab02e4767ead5ecbfebbe42300fb98f5b7cb2e10be8aa0162b7a53ca8d4f2aac0e3c8b1de97ba99e1d408918735eb0b722c8b9b05a1f889bd

                                                                          Download Submit
                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___1NY6Q32_.txt
                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          2466754a57514dec1d228ca7d509132a

                                                                          SHA1

                                                                          bb5c3f9c407d059c611d6643fde30fcc3db11d03

                                                                          SHA256

                                                                          9a3d542dc714a0a8bd90f920f393f537cc0de31bf4c6ae9b7e76dfd4438e6a47

                                                                          SHA512

                                                                          24e76b74e660dba2f83bd418b55da05e59865858fea965aafa6bfd37601c3a9e14728d72cb6d9d6813c974672af8e5add145e96270dd9c33fe06567b92179219

                                                                          Download Submit
                                                                        • C:\Users\Admin\Downloads\Unconfirmed 882616.crdownload
                                                                          Filesize

                                                                          15.1MB

                                                                          MD5

                                                                          e88a0140466c45348c7b482bb3e103df

                                                                          SHA1

                                                                          c59741da45f77ed2350c72055c7b3d96afd4bfc1

                                                                          SHA256

                                                                          bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7

                                                                          SHA512

                                                                          2dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431

                                                                          Download Submit
                                                                        • C:\Windows\Temp\{1CE23ADF-D98F-4446-B5E7-469D33239DEB}\.ba\BootstrapperApplicationData.xml
                                                                          Filesize

                                                                          3KB

                                                                          MD5

                                                                          f17688eb475964556c72e6cd80b72b16

                                                                          SHA1

                                                                          0f567b8b96970d3f68ce3681cc529828e1cded07

                                                                          SHA256

                                                                          60214fdd631edc1362083f4a53bb3a5c2bfc5ca78bf30f645d0380b95e47fcc4

                                                                          SHA512

                                                                          19f2752ebde91c1316ae4e0973410795b49a6cd4ba19b501d09fe2e89386e06fb0416f11f0c3d985afc13640a05f0b147e8ff632173da3ae825497e10c1cf09d

                                                                          Download Submit
                                                                        • C:\Windows\Temp\{1CE23ADF-D98F-4446-B5E7-469D33239DEB}\.ba\thm.wxl
                                                                          Filesize

                                                                          4KB

                                                                          MD5

                                                                          fc0db4142556d3f38b0744a12f5f9d3d

                                                                          SHA1

                                                                          b0595044c4cac49fe89b982e6aec9baff38460ad

                                                                          SHA256

                                                                          8fbeb7f0b546d394d99b49d678d516402e8f54e5dea590cc91733f502f288019

                                                                          SHA512

                                                                          f2f29db5f3b0e13bc0b1fe738ef90b65d82e5513d0f82eb663c39313c5edaab53fdeb4bcc0493374253b2994b927cfd5764f5fedafd2e3f570d09893f9b26582

                                                                          Download Submit
                                                                        • C:\Windows\Temp\{1CE23ADF-D98F-4446-B5E7-469D33239DEB}\.ba\thm.xml
                                                                          Filesize

                                                                          8KB

                                                                          MD5

                                                                          c29a69f34ff31ff63c3ec6b2d4f903e5

                                                                          SHA1

                                                                          44e58eb62821c8d023bc91b51975162841647abd

                                                                          SHA256

                                                                          8d67851408a62b0f04dbaaddc588cd98499cf3630ec5df9f7c0699f0d367f79c

                                                                          SHA512

                                                                          b46d13206c1a6064fe4857dc3de96769a773711fbdf5f8cc979216bd6b8e62703f1bdc3d3b86ed07405249613eb22697f0cdd039963f741bf2b13a4e3addd199

                                                                          Download Submit
                                                                        • C:\Windows\Temp\{28D30F40-CA99-46B4-AE3B-A6F5DF94F93D}\.cr\VC_redist.x64.exe
                                                                          Filesize

                                                                          633KB

                                                                          MD5

                                                                          60048558e4dfe8710f207f4a6b20b7bf

                                                                          SHA1

                                                                          bcd0767615e7461f2cd632768b3b88ef1f629397

                                                                          SHA256

                                                                          7f9f4c81187317e5331c36cd4800449ec6118a76fa60e7307d2ab3ddf1761371

                                                                          SHA512

                                                                          d90ba1ec137072a1664c9a8ef3e60577d7b816eda6d48188236c6a886b8c8715cae4a844a3fe13911cfb43c65dc22119887380480ddd2fd6bc4014b157086bf6

                                                                          Download Submit
                                                                        • C:\Windows\Temp\{30F0AA91-3EC2-40AF-B2B5-7BC46F94B899}\.cr\Hatch-1.9.3.exe
                                                                          Filesize

                                                                          556KB

                                                                          MD5

                                                                          4c2345b8880621f4912275972806cb53

                                                                          SHA1

                                                                          44913a723080defd1f9d52ed4d367af0dd26460e

                                                                          SHA256

                                                                          9df0138713fb10843eb73e547f0aa91932396329a5fe3f8a3cf1f12eddef5bc3

                                                                          SHA512

                                                                          daa6172d9bd2076cd79402871b3e3b8c8dd2b62e1b54e386fec892a961a1afdd16222d003e8c2777c98bec4593fac385974d1e69f86f4bf0733bd97556415f7d

                                                                          Download Submit
                                                                        • C:\Windows\Temp\{3C0A02A0-09F2-4EFB-86B5-F3E17E89AF23}\.ba\logo.png
                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          d6bd210f227442b3362493d046cea233

                                                                          SHA1

                                                                          ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

                                                                          SHA256

                                                                          335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

                                                                          SHA512

                                                                          464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

                                                                          Download Submit
                                                                        • C:\Windows\Temp\{3C0A02A0-09F2-4EFB-86B5-F3E17E89AF23}\.ba\wixstdba.dll
                                                                          Filesize

                                                                          191KB

                                                                          MD5

                                                                          eab9caf4277829abdf6223ec1efa0edd

                                                                          SHA1

                                                                          74862ecf349a9bedd32699f2a7a4e00b4727543d

                                                                          SHA256

                                                                          a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

                                                                          SHA512

                                                                          45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

                                                                          Download Submit
                                                                        • C:\Windows\Temp\{3FA50BAB-17DA-4F12-B0C3-989474D0CE56}\.ba\logo.png
                                                                          Filesize

                                                                          852B

                                                                          MD5

                                                                          8346e21859a269dccf1e408dc7593cca

                                                                          SHA1

                                                                          239f10674bf6022854c1f1bf7c91955bde34d3e4

                                                                          SHA256

                                                                          cd2e8ed1fbb308d9d166f49794d323a9b22efba1033cdf906d1f4b030319e01b

                                                                          SHA512

                                                                          de9a54e7067fe4feade10f48d7c2bb4169f50efa0b06d3310421376690712af4d55dbc24dc5accc5013379b11abb59cc8c85896fe9f2a7c6a7ea2e28f6feac9f

                                                                          Download Submit
                                                                        • C:\Windows\Temp\{3FA50BAB-17DA-4F12-B0C3-989474D0CE56}\.ba\wixstdba.dll
                                                                          Filesize

                                                                          184KB

                                                                          MD5

                                                                          fe7e0bd53f52e6630473c31299a49fdd

                                                                          SHA1

                                                                          f706f45768bfb95f4c96dfa0be36df57aa863898

                                                                          SHA256

                                                                          2bea14d70943a42d344e09b7c9de5562fa7e109946e1c615dd584da30d06cc80

                                                                          SHA512

                                                                          feed48286b1e182996a3664f0facdf42aae3692d3d938ea004350c85764db7a0bea996dfddf7a77149c0d4b8b776fb544e8b1ce5e9944086a5b1ed6a8a239a3c

                                                                          Download Submit
                                                                        • C:\Windows\Temp\{3FA50BAB-17DA-4F12-B0C3-989474D0CE56}\Hatch_1.9.3_x64.msi
                                                                          Filesize

                                                                          2.0MB

                                                                          MD5

                                                                          14dcbccc567e9df2fdf55e8318d6d40d

                                                                          SHA1

                                                                          7932d810151f219f14412e8903887446edeb24a5

                                                                          SHA256

                                                                          0f31f9b776ea8b3cdb4b34188d257e62242f7a5bcb9503155d66620fe643bcae

                                                                          SHA512

                                                                          5e7dec4f8f3b7f604ebc8e9879d8b870854e80a95a81d9978f20d34c8f036133600e95ab717a55a57737794ecc31735d123a0d6c37436a970c863a34b3272707

                                                                          Download Submit
                                                                        • C:\Windows\Temp\{3FA50BAB-17DA-4F12-B0C3-989474D0CE56}\VC_redist.x64.exe
                                                                          Filesize

                                                                          9.0MB

                                                                          MD5

                                                                          6d6e3597b7afb8fd3743ff7d44bb2feb

                                                                          SHA1

                                                                          3119604c3edf7062b0ad8850a40989ae93a6038c

                                                                          SHA256

                                                                          ea3b0a61fce1ee6cf02f7c00db834c62c0e32bcfba3d22cb194ff23d3c31c2a1

                                                                          SHA512

                                                                          db56b30d73235d02ca8dbde2006c4f0a7ae5b18a95bd903c2b39b852d037a1e771ecb0262f4eec67e40327c8f1dc877594341893c65d4a1d13e53e1d737751ec

                                                                          Download Submit
                                                                        • C:\Windows\Temp\{DD3A7C90-4326-4F97-8C6C-D96A85E29E3D}\VC_redist.x64.exe
                                                                          Filesize

                                                                          24.0MB

                                                                          MD5

                                                                          8e3eff4970b51419c3ca3319db724690

                                                                          SHA1

                                                                          9ade54d322be27bff05d5afec8ed44f9b2d9306e

                                                                          SHA256

                                                                          97cc5066eb3c7246cf89b735ae0f5a5304a7ee33dc087d65d9dff3a1a73fe803

                                                                          SHA512

                                                                          35ba410637878d5a9dede02d92df9747cd809b7f0894227b2cced3b21568cb2d485ca4dff5c756248de2ca820a560b18af60c3c3e8ca74ad69e9e2b355424897

                                                                          Download Submit
                                                                        • \??\pipe\LOCAL\crashpad_3132_WVXTEKDWUXAEGLPQ
                                                                          MD5

                                                                          d41d8cd98f00b204e9800998ecf8427e

                                                                          SHA1

                                                                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                          SHA256

                                                                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                          SHA512

                                                                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                          Download Submit
                                                                        • memory/1776-183-0x000001D7281A0000-0x000001D7281A1000-memory.dmp
                                                                          Filesize

                                                                          4KB

                                                                          Download
                                                                        • memory/1776-175-0x000001D7281A0000-0x000001D7281A1000-memory.dmp
                                                                          Filesize

                                                                          4KB

                                                                          Download
                                                                        • memory/1776-185-0x000001D7281A0000-0x000001D7281A1000-memory.dmp
                                                                          Filesize

                                                                          4KB

                                                                          Download
                                                                        • memory/1776-184-0x000001D7281A0000-0x000001D7281A1000-memory.dmp
                                                                          Filesize

                                                                          4KB

                                                                          Download
                                                                        • memory/1776-182-0x000001D7281A0000-0x000001D7281A1000-memory.dmp
                                                                          Filesize

                                                                          4KB

                                                                          Download
                                                                        • memory/1776-180-0x000001D7281A0000-0x000001D7281A1000-memory.dmp
                                                                          Filesize

                                                                          4KB

                                                                          Download
                                                                        • memory/1776-174-0x000001D7281A0000-0x000001D7281A1000-memory.dmp
                                                                          Filesize

                                                                          4KB

                                                                          Download
                                                                        • memory/1776-186-0x000001D7281A0000-0x000001D7281A1000-memory.dmp
                                                                          Filesize

                                                                          4KB

                                                                          Download
                                                                        • memory/1776-181-0x000001D7281A0000-0x000001D7281A1000-memory.dmp
                                                                          Filesize

                                                                          4KB

                                                                          Download
                                                                        • memory/1776-176-0x000001D7281A0000-0x000001D7281A1000-memory.dmp
                                                                          Filesize

                                                                          4KB

                                                                          Download
                                                                        • memory/2732-1029-0x0000000000400000-0x0000000000435000-memory.dmp
                                                                          Filesize

                                                                          212KB

                                                                          Download
                                                                        • memory/2732-1031-0x0000000000400000-0x0000000000435000-memory.dmp
                                                                          Filesize

                                                                          212KB

                                                                          Download
                                                                        • memory/3796-1021-0x0000000000440000-0x0000000000451000-memory.dmp
                                                                          Filesize

                                                                          68KB

                                                                          Download
                                                                        • memory/3796-1020-0x0000000000400000-0x0000000000435000-memory.dmp
                                                                          Filesize

                                                                          212KB

                                                                          Download
                                                                        • memory/3796-1023-0x0000000000400000-0x0000000000435000-memory.dmp
                                                                          Filesize

                                                                          212KB

                                                                          Download
                                                                        • memory/5348-1032-0x0000000000400000-0x0000000000435000-memory.dmp
                                                                          Filesize

                                                                          212KB

                                                                          Download
                                                                        • memory/5348-1035-0x0000000000400000-0x0000000000435000-memory.dmp
                                                                          Filesize

                                                                          212KB

                                                                          Download
                                                                        • memory/5808-1000-0x0000000000400000-0x0000000000435000-memory.dmp
                                                                          Filesize

                                                                          212KB

                                                                          Download
                                                                        • memory/5808-1038-0x0000000000400000-0x0000000000435000-memory.dmp
                                                                          Filesize

                                                                          212KB

                                                                          Download
                                                                        • memory/5808-1040-0x0000000000400000-0x0000000000435000-memory.dmp
                                                                          Filesize

                                                                          212KB

                                                                          Download
                                                                        • memory/5808-1010-0x0000000000400000-0x0000000000435000-memory.dmp
                                                                          Filesize

                                                                          212KB

                                                                          Download
                                                                        • memory/5808-999-0x0000000000520000-0x0000000000551000-memory.dmp
                                                                          Filesize

                                                                          196KB

                                                                          Download
                                                                        • memory/5808-1408-0x0000000000400000-0x0000000000435000-memory.dmp
                                                                          Filesize

                                                                          212KB

                                                                          Download
                                                                        • memory/5808-1425-0x0000000000400000-0x0000000000435000-memory.dmp
                                                                          Filesize

                                                                          212KB

                                                                          Download
                                                                        • memory/6056-1027-0x0000000000400000-0x0000000000435000-memory.dmp
                                                                          Filesize

                                                                          212KB

                                                                          Download