Resubmissions
23-02-2024 12:12
240223-pdfnssga62 722-02-2024 20:44
240222-zjcjfafd56 722-02-2024 20:34
240222-zcklgafc76 10Analysis
-
max time kernel
298s -
max time network
302s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
22-02-2024 20:34
Static task
static1
Behavioral task
behavioral1
Sample
Hatch-1.9.3.exe
Resource
win10v2004-20240221-en
General
-
Target
Hatch-1.9.3.exe
-
Size
26.1MB
-
MD5
ee4299c7cd102c07e3e1995909a6e3d2
-
SHA1
06023c8802d2ea919228be2caac7de7604f29cc5
-
SHA256
184477c1255104df23974e459338c3b5c6364ff8fa70ebc81765a25762b39d19
-
SHA512
aed814dbb14833ae06915a44ebc3019f97eb7078a7583c1d1b2245170f672d70c8d411813b0ee1c73f0f32e2e54bba038f57cfbf60c95c46dceac669a30ef0ed
-
SSDEEP
786432:hqpXhwkzW6IivTQ3ZQj0zkhGxdgl2PHMeAB1i:gpXhLzW61vcGwxdgl2PH1M1i
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___1NY6Q32_.txt
cerber
http://p27dokhpz2n7nvgr.onion/8D68-7871-92AF-0446-9278
http://p27dokhpz2n7nvgr.12hygy.top/8D68-7871-92AF-0446-9278
http://p27dokhpz2n7nvgr.14ewqv.top/8D68-7871-92AF-0446-9278
http://p27dokhpz2n7nvgr.14vvrc.top/8D68-7871-92AF-0446-9278
http://p27dokhpz2n7nvgr.129p1t.top/8D68-7871-92AF-0446-9278
http://p27dokhpz2n7nvgr.1apgrn.top/8D68-7871-92AF-0446-9278
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___KTLH_.hta
cerber
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (1124) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 5832 netsh.exe 6036 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Hatch-1.9.3.exeHatch-1.9.3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation Hatch-1.9.3.exe Key value queried \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation Hatch-1.9.3.exe -
Drops startup file 1 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ cerber.exe -
Executes dropped EXE 11 IoCs
Processes:
Hatch-1.9.3.exeHatch-1.9.3.exeVC_redist.x64.exeVC_redist.x64.exeHatch-1.9.3.exeHatch-1.9.3.exeHatch-1.9.3.exeHatch-1.9.3.exeHatch-1.9.3.exeVC_redist.x64.exeVC_redist.x64.exepid process 1804 Hatch-1.9.3.exe 3320 Hatch-1.9.3.exe 3880 VC_redist.x64.exe 8 VC_redist.x64.exe 4912 Hatch-1.9.3.exe 3244 Hatch-1.9.3.exe 3276 Hatch-1.9.3.exe 3132 Hatch-1.9.3.exe 3200 Hatch-1.9.3.exe 2080 VC_redist.x64.exe 3020 VC_redist.x64.exe -
Loads dropped DLL 5 IoCs
Processes:
Hatch-1.9.3.exeVC_redist.x64.exeHatch-1.9.3.exeHatch-1.9.3.exeVC_redist.x64.exepid process 1804 Hatch-1.9.3.exe 8 VC_redist.x64.exe 3244 Hatch-1.9.3.exe 3132 Hatch-1.9.3.exe 3020 VC_redist.x64.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Hatch-1.9.3.exeHatch-1.9.3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{b78eb0b2-2054-4778-8ed1-25038f8c1363} = "\"C:\\ProgramData\\Package Cache\\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\\Hatch-1.9.3.exe\" /burn.runonce" Hatch-1.9.3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{b78eb0b2-2054-4778-8ed1-25038f8c1363} = "\"C:\\ProgramData\\Package Cache\\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\\Hatch-1.9.3.exe\" /burn.runonce" Hatch-1.9.3.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Hatch-1.9.3.exemsiexec.exedescription ioc process File opened (read-only) \??\Q: Hatch-1.9.3.exe File opened (read-only) \??\R: Hatch-1.9.3.exe File opened (read-only) \??\U: Hatch-1.9.3.exe File opened (read-only) \??\Y: Hatch-1.9.3.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\H: Hatch-1.9.3.exe File opened (read-only) \??\K: Hatch-1.9.3.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: Hatch-1.9.3.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: Hatch-1.9.3.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: Hatch-1.9.3.exe File opened (read-only) \??\P: Hatch-1.9.3.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: Hatch-1.9.3.exe File opened (read-only) \??\J: Hatch-1.9.3.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: Hatch-1.9.3.exe File opened (read-only) \??\W: Hatch-1.9.3.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: Hatch-1.9.3.exe File opened (read-only) \??\M: Hatch-1.9.3.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: Hatch-1.9.3.exe File opened (read-only) \??\X: Hatch-1.9.3.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: Hatch-1.9.3.exe File opened (read-only) \??\E: Hatch-1.9.3.exe File opened (read-only) \??\Z: Hatch-1.9.3.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: Hatch-1.9.3.exe File opened (read-only) \??\V: Hatch-1.9.3.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 134 raw.githubusercontent.com 151 camo.githubusercontent.com 133 raw.githubusercontent.com -
Drops file in System32 directory 38 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook cerber.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
cerber.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp8D58.bmp" cerber.exe -
Drops file in Program Files directory 24 IoCs
Processes:
cerber.exemsiexec.exedescription ioc process File opened for modification \??\c:\program files (x86)\outlook cerber.exe File opened for modification \??\c:\program files (x86)\powerpoint cerber.exe File opened for modification \??\c:\program files (x86)\the bat! cerber.exe File opened for modification \??\c:\program files (x86)\word cerber.exe File created C:\Program Files\Hatch\hatch.exe msiexec.exe File opened for modification \??\c:\program files (x86)\microsoft sql server cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\onenote cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\outlook cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\powerpoint cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\word cerber.exe File opened for modification \??\c:\program files (x86)\onenote cerber.exe File opened for modification \??\c:\program files\ cerber.exe File opened for modification \??\c:\program files (x86)\bitcoin cerber.exe File opened for modification \??\c:\program files (x86)\excel cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\excel cerber.exe File opened for modification \??\c:\program files (x86)\thunderbird cerber.exe File opened for modification C:\Program Files\Hatch\hatch.exe msiexec.exe File opened for modification \??\c:\program files (x86)\microsoft\office cerber.exe File opened for modification \??\c:\program files (x86)\steam cerber.exe File created C:\Program Files\Hatch\LicenseFile msiexec.exe File opened for modification C:\Program Files\Hatch\LicenseFile msiexec.exe File opened for modification \??\c:\program files (x86)\ cerber.exe File opened for modification \??\c:\program files (x86)\office cerber.exe -
Drops file in Windows directory 64 IoCs
Processes:
msiexec.execerber.exemspaint.exedescription ioc process File created C:\Windows\Installer\e577c25.msi msiexec.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents cerber.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification \??\c:\windows\ cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop cerber.exe File opened for modification C:\Windows\Installer\MSI38E9.tmp msiexec.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird cerber.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\steam cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam cerber.exe File opened for modification C:\Windows\Installer\e577c25.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\e577c27.msi msiexec.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! cerber.exe File opened for modification C:\Windows\Installer\MSI7D0F.tmp msiexec.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote cerber.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exetaskmgr.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000039a337e041d2b58d0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000039a337e00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090039a337e0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d39a337e0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000039a337e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24 msiexec.exe -
Modifies registry class 45 IoCs
Processes:
msiexec.exeHatch-1.9.3.exemsedge.exeHatch-1.9.3.exemsedge.exetaskmgr.execerber.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6562AE95F1ABFBB4F89F3C0A42C1C0B9\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6562AE95F1ABFBB4F89F3C0A42C1C0B9\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\DisplayName = "Hatch" Hatch-1.9.3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{59EA2656-BA1F-4BBF-8FF9-C3A0241C0C9B}\Version = "1.9.3" Hatch-1.9.3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6562AE95F1ABFBB4F89F3C0A42C1C0B9 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6562AE95F1ABFBB4F89F3C0A42C1C0B9\PackageCode = "5D7D2678202C2614EB1CEE2D20663D5F" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6562AE95F1ABFBB4F89F3C0A42C1C0B9\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6562AE95F1ABFBB4F89F3C0A42C1C0B9\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6562AE95F1ABFBB4F89F3C0A42C1C0B9\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{59EA2656-BA1F-4BBF-8FF9-C3A0241C0C9B}v1.9.3\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Version = "1.9.3.0" Hatch-1.9.3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{59EA2656-BA1F-4BBF-8FF9-C3A0241C0C9B}\DisplayName = "Hatch" Hatch-1.9.3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6562AE95F1ABFBB4F89F3C0A42C1C0B9\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{59EA2656-BA1F-4BBF-8FF9-C3A0241C0C9B}v1.9.3\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1392040655-2056082574-619088944-1000\{ED4E99A6-5F6D-4AAF-8DFB-90D39AC8C6A4} msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6562AE95F1ABFBB4F89F3C0A42C1C0B9\Version = "17367043" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6562AE95F1ABFBB4F89F3C0A42C1C0B9\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6562AE95F1ABFBB4F89F3C0A42C1C0B9\SourceList\Media\1 = ";CD-ROM #1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{59EA2656-BA1F-4BBF-8FF9-C3A0241C0C9B}\Dependents Hatch-1.9.3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{59EA2656-BA1F-4BBF-8FF9-C3A0241C0C9B}\Version = "1.9.3" Hatch-1.9.3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6562AE95F1ABFBB4F89F3C0A42C1C0B9\MainProgram msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6562AE95F1ABFBB4F89F3C0A42C1C0B9 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6562AE95F1ABFBB4F89F3C0A42C1C0B9\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1902A7DFBD581835D9B07AC0BC7108BA msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1902A7DFBD581835D9B07AC0BC7108BA\6562AE95F1ABFBB4F89F3C0A42C1C0B9 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6562AE95F1ABFBB4F89F3C0A42C1C0B9\SourceList\Media\DiskPrompt = "Hatch Installation" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6562AE95F1ABFBB4F89F3C0A42C1C0B9\ProductName = "Hatch" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6562AE95F1ABFBB4F89F3C0A42C1C0B9\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6562AE95F1ABFBB4F89F3C0A42C1C0B9\SourceList\PackageName = "Hatch-1.9.3-x64.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{59EA2656-BA1F-4BBF-8FF9-C3A0241C0C9B}\Dependents\{b78eb0b2-2054-4778-8ed1-25038f8c1363} Hatch-1.9.3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{59EA2656-BA1F-4BBF-8FF9-C3A0241C0C9B}\ = "{59EA2656-BA1F-4BBF-8FF9-C3A0241C0C9B}" Hatch-1.9.3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{59EA2656-BA1F-4BBF-8FF9-C3A0241C0C9B}\Dependents\{b78eb0b2-2054-4778-8ed1-25038f8c1363} Hatch-1.9.3.exe Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{b78eb0b2-2054-4778-8ed1-25038f8c1363} Hatch-1.9.3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Dependents Hatch-1.9.3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6562AE95F1ABFBB4F89F3C0A42C1C0B9\Environment = "MainProgram" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6562AE95F1ABFBB4F89F3C0A42C1C0B9\Language = "1033" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{59EA2656-BA1F-4BBF-8FF9-C3A0241C0C9B} Hatch-1.9.3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\ = "{b78eb0b2-2054-4778-8ed1-25038f8c1363}" Hatch-1.9.3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Dependents\{b78eb0b2-2054-4778-8ed1-25038f8c1363} Hatch-1.9.3.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{59EA2656-BA1F-4BBF-8FF9-C3A0241C0C9B} Hatch-1.9.3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{59EA2656-BA1F-4BBF-8FF9-C3A0241C0C9B}\ = "{59EA2656-BA1F-4BBF-8FF9-C3A0241C0C9B}" Hatch-1.9.3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6562AE95F1ABFBB4F89F3C0A42C1C0B9\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6562AE95F1ABFBB4F89F3C0A42C1C0B9\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{59EA2656-BA1F-4BBF-8FF9-C3A0241C0C9B}\DisplayName = "Hatch" Hatch-1.9.3.exe Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings cerber.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1960 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exetaskmgr.exepid process 1568 msiexec.exe 1568 msiexec.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1568 msiexec.exe 1568 msiexec.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 1776 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
Processes:
msedge.exepid process 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeHatch-1.9.3.exemsiexec.exedescription pid process Token: SeBackupPrivilege 4404 vssvc.exe Token: SeRestorePrivilege 4404 vssvc.exe Token: SeAuditPrivilege 4404 vssvc.exe Token: SeShutdownPrivilege 3320 Hatch-1.9.3.exe Token: SeIncreaseQuotaPrivilege 3320 Hatch-1.9.3.exe Token: SeSecurityPrivilege 1568 msiexec.exe Token: SeCreateTokenPrivilege 3320 Hatch-1.9.3.exe Token: SeAssignPrimaryTokenPrivilege 3320 Hatch-1.9.3.exe Token: SeLockMemoryPrivilege 3320 Hatch-1.9.3.exe Token: SeIncreaseQuotaPrivilege 3320 Hatch-1.9.3.exe Token: SeMachineAccountPrivilege 3320 Hatch-1.9.3.exe Token: SeTcbPrivilege 3320 Hatch-1.9.3.exe Token: SeSecurityPrivilege 3320 Hatch-1.9.3.exe Token: SeTakeOwnershipPrivilege 3320 Hatch-1.9.3.exe Token: SeLoadDriverPrivilege 3320 Hatch-1.9.3.exe Token: SeSystemProfilePrivilege 3320 Hatch-1.9.3.exe Token: SeSystemtimePrivilege 3320 Hatch-1.9.3.exe Token: SeProfSingleProcessPrivilege 3320 Hatch-1.9.3.exe Token: SeIncBasePriorityPrivilege 3320 Hatch-1.9.3.exe Token: SeCreatePagefilePrivilege 3320 Hatch-1.9.3.exe Token: SeCreatePermanentPrivilege 3320 Hatch-1.9.3.exe Token: SeBackupPrivilege 3320 Hatch-1.9.3.exe Token: SeRestorePrivilege 3320 Hatch-1.9.3.exe Token: SeShutdownPrivilege 3320 Hatch-1.9.3.exe Token: SeDebugPrivilege 3320 Hatch-1.9.3.exe Token: SeAuditPrivilege 3320 Hatch-1.9.3.exe Token: SeSystemEnvironmentPrivilege 3320 Hatch-1.9.3.exe Token: SeChangeNotifyPrivilege 3320 Hatch-1.9.3.exe Token: SeRemoteShutdownPrivilege 3320 Hatch-1.9.3.exe Token: SeUndockPrivilege 3320 Hatch-1.9.3.exe Token: SeSyncAgentPrivilege 3320 Hatch-1.9.3.exe Token: SeEnableDelegationPrivilege 3320 Hatch-1.9.3.exe Token: SeManageVolumePrivilege 3320 Hatch-1.9.3.exe Token: SeImpersonatePrivilege 3320 Hatch-1.9.3.exe Token: SeCreateGlobalPrivilege 3320 Hatch-1.9.3.exe Token: SeRestorePrivilege 1568 msiexec.exe Token: SeTakeOwnershipPrivilege 1568 msiexec.exe Token: SeRestorePrivilege 1568 msiexec.exe Token: SeTakeOwnershipPrivilege 1568 msiexec.exe Token: SeRestorePrivilege 1568 msiexec.exe Token: SeTakeOwnershipPrivilege 1568 msiexec.exe Token: SeRestorePrivilege 1568 msiexec.exe Token: SeTakeOwnershipPrivilege 1568 msiexec.exe Token: SeRestorePrivilege 1568 msiexec.exe Token: SeTakeOwnershipPrivilege 1568 msiexec.exe Token: SeRestorePrivilege 1568 msiexec.exe Token: SeTakeOwnershipPrivilege 1568 msiexec.exe Token: SeRestorePrivilege 1568 msiexec.exe Token: SeTakeOwnershipPrivilege 1568 msiexec.exe Token: SeRestorePrivilege 1568 msiexec.exe Token: SeTakeOwnershipPrivilege 1568 msiexec.exe Token: SeRestorePrivilege 1568 msiexec.exe Token: SeTakeOwnershipPrivilege 1568 msiexec.exe Token: SeRestorePrivilege 1568 msiexec.exe Token: SeTakeOwnershipPrivilege 1568 msiexec.exe Token: SeRestorePrivilege 1568 msiexec.exe Token: SeTakeOwnershipPrivilege 1568 msiexec.exe Token: SeRestorePrivilege 1568 msiexec.exe Token: SeTakeOwnershipPrivilege 1568 msiexec.exe Token: SeRestorePrivilege 1568 msiexec.exe Token: SeTakeOwnershipPrivilege 1568 msiexec.exe Token: SeRestorePrivilege 1568 msiexec.exe Token: SeTakeOwnershipPrivilege 1568 msiexec.exe Token: SeRestorePrivilege 1568 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
Hatch-1.9.3.exeHatch-1.9.3.exetaskmgr.exeHatch-1.9.3.exepid process 1804 Hatch-1.9.3.exe 3320 Hatch-1.9.3.exe 3320 Hatch-1.9.3.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 3244 Hatch-1.9.3.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
mspaint.exepid process 4376 mspaint.exe 4376 mspaint.exe 4376 mspaint.exe 4376 mspaint.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Hatch-1.9.3.exeHatch-1.9.3.exeHatch-1.9.3.exeVC_redist.x64.exeHatch-1.9.3.exeHatch-1.9.3.exeHatch-1.9.3.exeHatch-1.9.3.exeVC_redist.x64.exemsedge.exedescription pid process target process PID 3760 wrote to memory of 1804 3760 Hatch-1.9.3.exe Hatch-1.9.3.exe PID 3760 wrote to memory of 1804 3760 Hatch-1.9.3.exe Hatch-1.9.3.exe PID 3760 wrote to memory of 1804 3760 Hatch-1.9.3.exe Hatch-1.9.3.exe PID 1804 wrote to memory of 3320 1804 Hatch-1.9.3.exe Hatch-1.9.3.exe PID 1804 wrote to memory of 3320 1804 Hatch-1.9.3.exe Hatch-1.9.3.exe PID 1804 wrote to memory of 3320 1804 Hatch-1.9.3.exe Hatch-1.9.3.exe PID 3320 wrote to memory of 3880 3320 Hatch-1.9.3.exe VC_redist.x64.exe PID 3320 wrote to memory of 3880 3320 Hatch-1.9.3.exe VC_redist.x64.exe PID 3320 wrote to memory of 3880 3320 Hatch-1.9.3.exe VC_redist.x64.exe PID 3880 wrote to memory of 8 3880 VC_redist.x64.exe VC_redist.x64.exe PID 3880 wrote to memory of 8 3880 VC_redist.x64.exe VC_redist.x64.exe PID 3880 wrote to memory of 8 3880 VC_redist.x64.exe VC_redist.x64.exe PID 4912 wrote to memory of 3244 4912 Hatch-1.9.3.exe Hatch-1.9.3.exe PID 4912 wrote to memory of 3244 4912 Hatch-1.9.3.exe Hatch-1.9.3.exe PID 4912 wrote to memory of 3244 4912 Hatch-1.9.3.exe Hatch-1.9.3.exe PID 3276 wrote to memory of 3132 3276 Hatch-1.9.3.exe Hatch-1.9.3.exe PID 3276 wrote to memory of 3132 3276 Hatch-1.9.3.exe Hatch-1.9.3.exe PID 3276 wrote to memory of 3132 3276 Hatch-1.9.3.exe Hatch-1.9.3.exe PID 3244 wrote to memory of 3200 3244 Hatch-1.9.3.exe Hatch-1.9.3.exe PID 3244 wrote to memory of 3200 3244 Hatch-1.9.3.exe Hatch-1.9.3.exe PID 3244 wrote to memory of 3200 3244 Hatch-1.9.3.exe Hatch-1.9.3.exe PID 3200 wrote to memory of 2080 3200 Hatch-1.9.3.exe VC_redist.x64.exe PID 3200 wrote to memory of 2080 3200 Hatch-1.9.3.exe VC_redist.x64.exe PID 3200 wrote to memory of 2080 3200 Hatch-1.9.3.exe VC_redist.x64.exe PID 2080 wrote to memory of 3020 2080 VC_redist.x64.exe VC_redist.x64.exe PID 2080 wrote to memory of 3020 2080 VC_redist.x64.exe VC_redist.x64.exe PID 2080 wrote to memory of 3020 2080 VC_redist.x64.exe VC_redist.x64.exe PID 3132 wrote to memory of 2456 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 2456 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe PID 3132 wrote to memory of 1488 3132 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hatch-1.9.3.exe"C:\Users\Admin\AppData\Local\Temp\Hatch-1.9.3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\Temp\{30F0AA91-3EC2-40AF-B2B5-7BC46F94B899}\.cr\Hatch-1.9.3.exe"C:\Windows\Temp\{30F0AA91-3EC2-40AF-B2B5-7BC46F94B899}\.cr\Hatch-1.9.3.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\Hatch-1.9.3.exe" -burn.filehandle.attached=556 -burn.filehandle.self=5362⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\Temp\{3FA50BAB-17DA-4F12-B0C3-989474D0CE56}\.be\Hatch-1.9.3.exe"C:\Windows\Temp\{3FA50BAB-17DA-4F12-B0C3-989474D0CE56}\.be\Hatch-1.9.3.exe" -q -burn.elevated BurnPipe.{B52557DE-6142-47D2-A6FF-4D5176360A33} {4B933648-F4B7-4C2D-83E5-987FB66C37A4} 18043⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\ProgramData\Package Cache\9ADE54D322BE27BFF05D5AFEC8ED44F9B2D9306E\VC_redist.x64.exe"C:\ProgramData\Package Cache\9ADE54D322BE27BFF05D5AFEC8ED44F9B2D9306E\VC_redist.x64.exe" /install /quiet /norestart4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\Temp\{28D30F40-CA99-46B4-AE3B-A6F5DF94F93D}\.cr\VC_redist.x64.exe"C:\Windows\Temp\{28D30F40-CA99-46B4-AE3B-A6F5DF94F93D}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\9ADE54D322BE27BFF05D5AFEC8ED44F9B2D9306E\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 /install /quiet /norestart5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:8
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵PID:840
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe"C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe" /modify1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe"C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe" -burn.clean.room="C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe" -burn.filehandle.attached=548 -burn.filehandle.self=568 /modify2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe"C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe" -q -burn.elevated BurnPipe.{DAF695FB-7F79-4725-AE13-E1F79B43650F} {F779D179-5C7C-45B8-9E23-CDCE921022A7} 32443⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\ProgramData\Package Cache\9ADE54D322BE27BFF05D5AFEC8ED44F9B2D9306E\VC_redist.x64.exe"C:\ProgramData\Package Cache\9ADE54D322BE27BFF05D5AFEC8ED44F9B2D9306E\VC_redist.x64.exe" /install /quiet /norestart4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\Temp\{99A6085B-2E96-4689-A5C9-409293AC2351}\.cr\VC_redist.x64.exe"C:\Windows\Temp\{99A6085B-2E96-4689-A5C9-409293AC2351}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\9ADE54D322BE27BFF05D5AFEC8ED44F9B2D9306E\VC_redist.x64.exe" -burn.filehandle.attached=580 -burn.filehandle.self=488 /install /quiet /norestart5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1776
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1004
-
C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe"C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe"C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe" -burn.clean.room="C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\Hatch-1.9.3.exe" -burn.filehandle.attached=528 -burn.filehandle.self=5362⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3132
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\UpdateReset.bmp"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4376
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:3016
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9074146f8,0x7ff907414708,0x7ff9074147182⤵PID:2456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵PID:1488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵PID:228
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:82⤵PID:2380
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:4952
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:12⤵PID:3456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:12⤵PID:2940
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:12⤵PID:4208
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 /prefetch:82⤵PID:3740
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 /prefetch:82⤵PID:4788
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:12⤵PID:4680
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:12⤵PID:936
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:12⤵PID:2248
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:12⤵PID:3880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5824 /prefetch:82⤵PID:5084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5836 /prefetch:82⤵
- Modifies registry class
PID:2672 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2416 /prefetch:12⤵PID:1372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:12⤵PID:608
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5708 /prefetch:82⤵PID:2992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:12⤵PID:4180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:12⤵PID:3296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:12⤵PID:4604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:12⤵PID:2056
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:82⤵PID:5668
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:12⤵PID:5836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,10826519496794856584,13903556694362188165,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2764 /prefetch:22⤵PID:4772
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3976
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:968
-
C:\Users\Admin\Desktop\cerber.exe"C:\Users\Admin\Desktop\cerber.exe"1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:5808 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
PID:5832 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
PID:6036 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___S7FH_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:5756
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___CURMT32P_.txt2⤵
- Opens file in notepad (likely ransom note)
PID:1960
-
C:\Users\Admin\Desktop\cerber.exe"C:\Users\Admin\Desktop\cerber.exe"1⤵PID:3796
-
C:\Users\Admin\Desktop\cerber.exe"C:\Users\Admin\Desktop\cerber.exe"1⤵PID:6056
-
C:\Users\Admin\Desktop\cerber.exe"C:\Users\Admin\Desktop\cerber.exe"1⤵PID:2732
-
C:\Users\Admin\Desktop\cerber.exe"C:\Users\Admin\Desktop\cerber.exe"1⤵PID:5348
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e577c26.rbsFilesize
8KB
MD5e48e8b43cb7045f2bf6b6c3c1973bc3b
SHA180dc2a2ca743b1988fa67d610a9a212fc47d9bd7
SHA2565b9fe254475ce973e9a220b8d0ee597980bd6da25278d2f58cf1922f825231d5
SHA5125cffcd6acfb1b7dff7d36e74ecdd822fe633b4646287286f5eba3e79cead35ad5478e0a571dcfe34ff60d89b4f0cd4621d1f123d08922a6711c0895256cd1cf1
-
C:\Config.Msi\e577c2a.rbsFilesize
6KB
MD5b8ca71e35127f85db5e87e8bb554497d
SHA17f7d33326502158bb5703e677132c97510f23426
SHA25643f5f79aebacdab502dabd5ee96b34a11744a3575095faa4ef3963f438397a4e
SHA512824a4c02e16e70baab3b4e13abb330631e38e0a4c57b6c474414e769cac2e1d1035fc78058283d7e8bf7ac905867498368d81072abcd383981bd5cb2cc0ebace
-
C:\Program Files\Hatch\LicenseFileFilesize
1KB
MD574401bb59d6d0e179cb820f588416fca
SHA1c4c201ce31066a35e7cb997a04fb4dc23ecb87fa
SHA25615d9f75684e8c6571ae6714517fe453b21de6d3a07b1546dc8813bc7469a3ca6
SHA512869bdad076f6f4b46ac3f6ee03ef52628cfbbf70542dbbc2bc66ca393dd37bad248da5b83f8ea7438791c8220f2e32e5c8a63c5370eecb717ce6efd6e29167bc
-
C:\Program Files\Hatch\hatch.exeFilesize
3.8MB
MD53d81dba29c92788fec342ff529acd0da
SHA1578a99d61f5850c6c030b6e1d3380bf814b27355
SHA25614808357b9e4d1ccb14f6b0d559d8358b027a026bd7115641524704a2ccdfe20
SHA512d9970dbdc9743cf299a598ee9c699238f9501f134830ba1d486ba83ab64f65a2a071dd2479f71f6ae05997cc0eae554aa2530479f5272ff386e87acaea738061
-
C:\ProgramData\Package Cache\9ADE54D322BE27BFF05D5AFEC8ED44F9B2D9306E\VC_redist.x64.exeFilesize
10.7MB
MD52d3c26482e00ccf22fcca0d1792a81ae
SHA128f9fc392f4b16cfb1997f0745f3e23fa5a96404
SHA256827f00e0b8e109d62a42309578c2eb184bec6ae6e4e5a5d16599641ff5a385a2
SHA512b9b60331ba05ac3c65a745c7023ab0c9f59796cd9eedbf48cf2a8025642516045d71591cf8a59cd2186d4faee9fedc20b3757c188604fd6753d03525d41bb211
-
C:\ProgramData\Package Cache\{b78eb0b2-2054-4778-8ed1-25038f8c1363}\state.rsmFilesize
786B
MD5980f3123ad0f4ed88580f9410106b812
SHA11a7f46962b65b253fef4a33eb5821a7838f88f41
SHA25692b06afe90387b72b08b6348798e666273e3ad05b1f792baeba3258db00effbf
SHA512f38ccf262cbae7d6a94d281b4c3d03c23eee84fd2ac50fc338fe213861e72c57302425b22b8adb527bc399e8a83c3b6adee2475c459a7a8839414cf0f8bb3f07
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d4c957a0a66b47d997435ead0940becf
SHA11aed2765dd971764b96455003851f8965e3ae07d
SHA25653fa86fbddf4cdddab1f884c7937ba334fce81ddc59e9b2522fec2d19c7fc163
SHA51219cd43e9756829911685916ce9ac8f0375f2f686bfffdf95a6259d8ee767d487151fc938e88b8aada5777364a313ad6b2af8bc1aa601c59f0163cbca7c108fbc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5343e73b39eb89ceab25618efc0cd8c8c
SHA16a5c7dcfd4cd4088793de6a3966aa914a07faf4c
SHA2566ea83db86f592a3416738a1f1de5db00cd0408b0de820256d09d9bee9e291223
SHA51254f321405b91fe397b50597b80564cff3a4b7ccb9aaf47cdf832a0932f30a82ed034ca75a422506c7b609a95b2ed97db58d517089cd85e38187112525ca499cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000cFilesize
43KB
MD58d1ef1b5e990728dc58e4540990abb3c
SHA179528be717f3be27ac2ff928512f21044273de31
SHA2563bdb20d0034f62ebaa1b4f32de53ea7b5fd1a631923439ab0a24a31bccde86d9
SHA512cd425e0469fdba5e508d08100c2e533ef095eeacf068f16b508b3467684a784755b1944b55eb054bbd21201ba4ce6247f459cc414029c7b0eb44bdb58c33ff14
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000dFilesize
24KB
MD51deeafca9849f28c153a97f5070355d6
SHA103b46b765150a2f308353bcb9838cbdd4e28f893
SHA256b1639f4ce0285c41f4bd666f3fae4767094e3042b0379646b5ccfe04ef01ec19
SHA51252122b7e3ca9b58eab42fc652c24b4b8c17c43970f88860372d8377c49c540c31ddc81b519f4d59d34e199571758f82ab2fea0737ac1f847b3d4dd75d7acac19
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000eFilesize
49KB
MD54b4947c20d0989be322a003596b94bdc
SHA1f24db7a83eb52ecbd99c35c2af513e85a5a06dda
SHA25696f697d16fbe496e4575cd5f655c0edb07b3f737c2f03de8c9dda54e635b3180
SHA5122a3443e18051b7c830517143482bf6bffd54725935e37ee58d6464fac52d3ce29c6a85fc842b306feaa49e424ba6086942fc3f0fea8bb28e7495070a38ce2e59
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017Filesize
23KB
MD5bc4836b104a72b46dcfc30b7164850f8
SHA1390981a02ebaac911f5119d0fbca40838387b005
SHA2560e0b0894faf2fc17d516cb2de5955e1f3ae4d5a8f149a5ab43c4e4c367a85929
SHA512e96421dd2903edea7745971364f8913c2d6754138f516e97c758556a2c6a276ba198cdfa86eb26fe24a39259faff073d47ef995a82667fa7dee7b84f1c76c2b2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD5d02335351b682a22e32913203a6f12d3
SHA1d544040545062bb811252689fea24fda8cdd2450
SHA2564460b45555b33b166ba41ae89210d488c6d19fc944cea4049ab1a749cbd2a016
SHA51233c2d3b77b6459e09252cce5d296a0d3907362506c6a02844e966faebbc94a189d69e1589672f6d0e31512f721b470c7b080d83b47a8f8a69f2ce2ce95975881
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD59f325524784a47af5c7eb373c7f78eb1
SHA189381bd7a5db0c55b2d2b597d0eeb26f5d9411a1
SHA256e90ae2a496808c64444998f943cb6ee2ec555437c861603b0e4b881d76d702b4
SHA51223465abd1f7bf97bf22f9fd999253c3ed10dd107be4d62cfaad6964dfefdf4bfeb0993851cff977554bdeee9955b4cd82db1635acf3c0562b1b0d71665a8c695
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1013B
MD54bc87710785d8522f47504664457cd63
SHA11e0c958a6864fc4cb59f18e4015a1510a2c84144
SHA25681e341133b87ad7a248c69425d907b38fbdd7b89865a224ad64ccabe5f365976
SHA5129c652e15c249b56ffc9b4b7b9e4526196174678559bf3f8b34da742b32cfa5cb1a5b9eb16526c27bb3aeb4866c66186f307c631fee55ce211a64e8dbfe3df299
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD55cd47eff2e9f113a4c1ca01144a69a6c
SHA1d662d728a33b9445c9cdaee024d0e15cd40b68f8
SHA25646688dd9b2d85f721ec04c4daecfee3410fb16d312f88a3ce1b7addc77626a48
SHA512e7307d329b436cffd5108088c5fdde914362a150037003d4cf6540d0c9f7fca9dc0599614244828e0c8f60f35efe17d234f44fd473a0ade4d622b7c39453a457
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5b8d61ef7e83f5897b60284575e3a2f90
SHA1304baa51d11f173e48c6dd30c4d46f3d94d3b94a
SHA2567b4c555394940b4a22f6bb9c7beecc3644fb80c6f6f46b29d4d8ea36e7fb2378
SHA512eb5db4fb3b2cf1d70d43328fec60639bf7263fcbd0922c0c2ca4b34db93f3ab19328266d4095cc53480c9a888b7ee42cfda117a8bfddade13a9281eaaa063646
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5993cc8a4f7cf9954293a4d04cb67c0e6
SHA1c5a4e534d6a8d571af983e6dec603b4dc354048c
SHA2568c39d064cebd6cbbc7772028e87cf36c319da696c5da7ec82e7c69c90c3efad2
SHA5121e176a1e3de5a4ac8f96a49ac9c52bda69121f29164736ed6d81cda8ea6224dff6a46505bc2c6053d1144a802815801a59adab89bbc9e993cfed9b12bec5f699
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD56341d3d4e2dfc82a8811c984863f880e
SHA1b3c81f13ba68be40f54fa52e595f9217343e0805
SHA256dc5a282116ab6faed057c72e8606d514531ea7eb4a5841e277006a57d333d05f
SHA512b76d80a0156682bff8c7aed22404fa56e953ebcc9a5032571166f8133ecd4639a4075436ce008866a2f7a4eb30176676ee39fd9d4d7b59f20fa025b639562a45
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5a34dc07aa56e9cb769ece665b8e5337c
SHA1317d9efd5c855a25d4343b8bc53153b78547bf03
SHA2562f53180421affb4ef330875fb9da5f2bca5e40ca3e3697e6137755b146474c6c
SHA512731a8307bc20379927eb3b5e97c89bc1e8732ed7c5fa60c6c55644f2f75ddb55b1e898d9a5d1059ab386a46f05bda637669a51ea12c281c6314760bce5d91ac2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5ebfdaecb9679b4397f98cc1a20be9183
SHA1db1b8c106b19f8babc63e0532c8459d7ab807c01
SHA25665c79c6a2744821b7bd2c9819c95e77f06de16b021eed663b11f1fcaf7e729e2
SHA512fc316de69fd78a93e39db9a823d89b616db27e36b4c1b2b56a9a4785cb4aa409bd7704968f915128dff6b5dc0279bc2c621a6d36a06a87d06959693283b9f45f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5cdbd72a43a1b61512e85c96ad6ca20d1
SHA17f318a55acf65b1f666974b56d164b4740c0e4f0
SHA256cbe61aadb7f0cc0eee36f44f1a6adddd6afbc175affed90d8d4c864ef3fbfdfc
SHA5122e4c3c4cf3c921b1f89f0e4a2e74376021912de380678a0c230b36cf691cd169f6859445f564fc294c6cba0b75f8df3154f6c56498cd52a390a0f7c679c21eac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5444649d26d8ee302efbb1d315a9dfa81
SHA1b8034c231ea3f26975299768c477113343914737
SHA256430d545517600e57e352e98851e28733f1ae43d1c9421360f713821297a6eb9c
SHA512fccafff3f27f74835217e5ba204c78f8a5aaef806758a31db34d9310b69b01085d98a11f431b95e7714d31da139cfb4ff569070f84306bc5dbb45d4894a9300a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD58eb71ef83ba4a30f8fbd57def722712a
SHA14de41ba8427d0039955035c292c3863897143493
SHA2561d7a556fc363a370554cc80d6837862e497bfce23b932eb196c583aad1c8fe7f
SHA512804f451dc4c6bfd9bb6a9f3830b465400dffbc6c2ac25214b0c20a21d68fb1ff51a6d1a9cc9f44cb1a032b3e0dcde2135d01c6b9b0bc7b64509cfda61ba17fdb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a80ca.TMPFilesize
1KB
MD57e98fe3b341531d16d3f8f4931c923b7
SHA1434c210a7123a740e13666c56cff23c5d081221f
SHA25688ea2a40c426cc356ebf1dd3a13d6105574b419a2dc5dff8fa1d9fb86ff9f65b
SHA512922bf68129c1eb212b4962cfad4d21eb86a813bc38794806a61df923c9f38bf27ecc1f90c50fbe43d15c390682239adf20b28a271dcd963a835e50dca5e9d84d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5a38f6bcae5f3baf5c021282b1a44e365
SHA1095a8a3ae27c5e02d432bc58c2c9f44021006c2f
SHA256ff71b58f6e6f3754d7ee7a7b1af0b81696fcbf306f5f8172dc6de1d2ae4f8ce2
SHA5124273b98fc58f4949f341a280209848ade0d7a095e00669f918c41b8143fd5d8d25d265d1bd3324405c2208abc3fab6827761d3fc6dda624d425fa216eb6e6267
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD56ced1456e0cf6e16e283edc11acdc30b
SHA14187f5181237c02339feb6ddea88fc2d3fc1ad1f
SHA256f1fd680875c59f41fb7b339aa9b0432e3d7c0d927c18ded0c6e504181f342111
SHA5121a1afaf00fb43af4811170f05c24a6dbb1e1744e0aa5e553cad851fec42c5d995388e3c9e937d2424b0ddd5327802352ccd1388c9967fcd78152cb63d3da898b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5eb2818ec9232ab1e09140ec5eaccd2fb
SHA1da41a2418d702ebb9fe792332e08898a3e139491
SHA2562e61aab503e5125183df2782cff884c721372369218cd3039320251ef7319166
SHA51245cc521c45a42e37810828295c3ef3757bb653afd04351ae69cc7b742a05e472ae631b47e553594022f00a3563cacf40632152f1edce177be3c84e661b7bde45
-
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___KTLH_.htaFilesize
75KB
MD5337ad1c10581978d9b132e8b4d8ccdd0
SHA1ed6d6c24cb2fc86e5cfd8582c22b3bccd94e02a1
SHA256b81d7715ff62303b30c7c785cf29ad98ec999a739cee1dd745ffb520fab4d7f9
SHA5121d812f65a17482b55823f3b7eb13baf1d19bc92d8dd1244a6a99a450c73b37e2780f1fab950a92b7d1cfe1ab514a3179ccc3b12c62424ba54bd01b332dc7cfbe
-
C:\Users\Admin\AppData\Local\Temp\Hatch_20240222203440_001_Hatch_1.9.3_x64.msi.logFilesize
45KB
MD5ffb0abf5d2f812e6ff367fb7b42928a4
SHA12a57dcfe4148e76a97400ddd54aa457875f0df59
SHA256257b0c059b2545d23813c7fd6a97a67208958a5de5d6284a7b7fdb5dbed688d2
SHA51262a5cbe85a8f3427e510d8318cb95cfc049428eb02f3f84a436cc7309792963c817e9f9557720742c15914e24020bdda90c4f61e2d2a725bbc5d964377271d41
-
C:\Users\Admin\AppData\Local\Temp\Hatch_20240222203555_001_Hatch_1.9.3_x64.msi.logFilesize
1KB
MD52ffd11ad7b31ae8afe0bf7510eb76c2b
SHA1e8325a014e8cc70a400ddb8b29665edde3e7a6da
SHA2562d9db939e40f5f5148388baa86ecaea6ffe0ad8a109eb39c1235dbcfc085b543
SHA512d249460648293fcab02e4767ead5ecbfebbe42300fb98f5b7cb2e10be8aa0162b7a53ca8d4f2aac0e3c8b1de97ba99e1d408918735eb0b722c8b9b05a1f889bd
-
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___1NY6Q32_.txtFilesize
1KB
MD52466754a57514dec1d228ca7d509132a
SHA1bb5c3f9c407d059c611d6643fde30fcc3db11d03
SHA2569a3d542dc714a0a8bd90f920f393f537cc0de31bf4c6ae9b7e76dfd4438e6a47
SHA51224e76b74e660dba2f83bd418b55da05e59865858fea965aafa6bfd37601c3a9e14728d72cb6d9d6813c974672af8e5add145e96270dd9c33fe06567b92179219
-
C:\Users\Admin\Downloads\Unconfirmed 882616.crdownloadFilesize
15.1MB
MD5e88a0140466c45348c7b482bb3e103df
SHA1c59741da45f77ed2350c72055c7b3d96afd4bfc1
SHA256bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7
SHA5122dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431
-
C:\Windows\Temp\{1CE23ADF-D98F-4446-B5E7-469D33239DEB}\.ba\BootstrapperApplicationData.xmlFilesize
3KB
MD5f17688eb475964556c72e6cd80b72b16
SHA10f567b8b96970d3f68ce3681cc529828e1cded07
SHA25660214fdd631edc1362083f4a53bb3a5c2bfc5ca78bf30f645d0380b95e47fcc4
SHA51219f2752ebde91c1316ae4e0973410795b49a6cd4ba19b501d09fe2e89386e06fb0416f11f0c3d985afc13640a05f0b147e8ff632173da3ae825497e10c1cf09d
-
C:\Windows\Temp\{1CE23ADF-D98F-4446-B5E7-469D33239DEB}\.ba\thm.wxlFilesize
4KB
MD5fc0db4142556d3f38b0744a12f5f9d3d
SHA1b0595044c4cac49fe89b982e6aec9baff38460ad
SHA2568fbeb7f0b546d394d99b49d678d516402e8f54e5dea590cc91733f502f288019
SHA512f2f29db5f3b0e13bc0b1fe738ef90b65d82e5513d0f82eb663c39313c5edaab53fdeb4bcc0493374253b2994b927cfd5764f5fedafd2e3f570d09893f9b26582
-
C:\Windows\Temp\{1CE23ADF-D98F-4446-B5E7-469D33239DEB}\.ba\thm.xmlFilesize
8KB
MD5c29a69f34ff31ff63c3ec6b2d4f903e5
SHA144e58eb62821c8d023bc91b51975162841647abd
SHA2568d67851408a62b0f04dbaaddc588cd98499cf3630ec5df9f7c0699f0d367f79c
SHA512b46d13206c1a6064fe4857dc3de96769a773711fbdf5f8cc979216bd6b8e62703f1bdc3d3b86ed07405249613eb22697f0cdd039963f741bf2b13a4e3addd199
-
C:\Windows\Temp\{28D30F40-CA99-46B4-AE3B-A6F5DF94F93D}\.cr\VC_redist.x64.exeFilesize
633KB
MD560048558e4dfe8710f207f4a6b20b7bf
SHA1bcd0767615e7461f2cd632768b3b88ef1f629397
SHA2567f9f4c81187317e5331c36cd4800449ec6118a76fa60e7307d2ab3ddf1761371
SHA512d90ba1ec137072a1664c9a8ef3e60577d7b816eda6d48188236c6a886b8c8715cae4a844a3fe13911cfb43c65dc22119887380480ddd2fd6bc4014b157086bf6
-
C:\Windows\Temp\{30F0AA91-3EC2-40AF-B2B5-7BC46F94B899}\.cr\Hatch-1.9.3.exeFilesize
556KB
MD54c2345b8880621f4912275972806cb53
SHA144913a723080defd1f9d52ed4d367af0dd26460e
SHA2569df0138713fb10843eb73e547f0aa91932396329a5fe3f8a3cf1f12eddef5bc3
SHA512daa6172d9bd2076cd79402871b3e3b8c8dd2b62e1b54e386fec892a961a1afdd16222d003e8c2777c98bec4593fac385974d1e69f86f4bf0733bd97556415f7d
-
C:\Windows\Temp\{3C0A02A0-09F2-4EFB-86B5-F3E17E89AF23}\.ba\logo.pngFilesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
C:\Windows\Temp\{3C0A02A0-09F2-4EFB-86B5-F3E17E89AF23}\.ba\wixstdba.dllFilesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
C:\Windows\Temp\{3FA50BAB-17DA-4F12-B0C3-989474D0CE56}\.ba\logo.pngFilesize
852B
MD58346e21859a269dccf1e408dc7593cca
SHA1239f10674bf6022854c1f1bf7c91955bde34d3e4
SHA256cd2e8ed1fbb308d9d166f49794d323a9b22efba1033cdf906d1f4b030319e01b
SHA512de9a54e7067fe4feade10f48d7c2bb4169f50efa0b06d3310421376690712af4d55dbc24dc5accc5013379b11abb59cc8c85896fe9f2a7c6a7ea2e28f6feac9f
-
C:\Windows\Temp\{3FA50BAB-17DA-4F12-B0C3-989474D0CE56}\.ba\wixstdba.dllFilesize
184KB
MD5fe7e0bd53f52e6630473c31299a49fdd
SHA1f706f45768bfb95f4c96dfa0be36df57aa863898
SHA2562bea14d70943a42d344e09b7c9de5562fa7e109946e1c615dd584da30d06cc80
SHA512feed48286b1e182996a3664f0facdf42aae3692d3d938ea004350c85764db7a0bea996dfddf7a77149c0d4b8b776fb544e8b1ce5e9944086a5b1ed6a8a239a3c
-
C:\Windows\Temp\{3FA50BAB-17DA-4F12-B0C3-989474D0CE56}\Hatch_1.9.3_x64.msiFilesize
2.0MB
MD514dcbccc567e9df2fdf55e8318d6d40d
SHA17932d810151f219f14412e8903887446edeb24a5
SHA2560f31f9b776ea8b3cdb4b34188d257e62242f7a5bcb9503155d66620fe643bcae
SHA5125e7dec4f8f3b7f604ebc8e9879d8b870854e80a95a81d9978f20d34c8f036133600e95ab717a55a57737794ecc31735d123a0d6c37436a970c863a34b3272707
-
C:\Windows\Temp\{3FA50BAB-17DA-4F12-B0C3-989474D0CE56}\VC_redist.x64.exeFilesize
9.0MB
MD56d6e3597b7afb8fd3743ff7d44bb2feb
SHA13119604c3edf7062b0ad8850a40989ae93a6038c
SHA256ea3b0a61fce1ee6cf02f7c00db834c62c0e32bcfba3d22cb194ff23d3c31c2a1
SHA512db56b30d73235d02ca8dbde2006c4f0a7ae5b18a95bd903c2b39b852d037a1e771ecb0262f4eec67e40327c8f1dc877594341893c65d4a1d13e53e1d737751ec
-
C:\Windows\Temp\{DD3A7C90-4326-4F97-8C6C-D96A85E29E3D}\VC_redist.x64.exeFilesize
24.0MB
MD58e3eff4970b51419c3ca3319db724690
SHA19ade54d322be27bff05d5afec8ed44f9b2d9306e
SHA25697cc5066eb3c7246cf89b735ae0f5a5304a7ee33dc087d65d9dff3a1a73fe803
SHA51235ba410637878d5a9dede02d92df9747cd809b7f0894227b2cced3b21568cb2d485ca4dff5c756248de2ca820a560b18af60c3c3e8ca74ad69e9e2b355424897
-
\??\pipe\LOCAL\crashpad_3132_WVXTEKDWUXAEGLPQMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1776-183-0x000001D7281A0000-0x000001D7281A1000-memory.dmpFilesize
4KB
-
memory/1776-175-0x000001D7281A0000-0x000001D7281A1000-memory.dmpFilesize
4KB
-
memory/1776-185-0x000001D7281A0000-0x000001D7281A1000-memory.dmpFilesize
4KB
-
memory/1776-184-0x000001D7281A0000-0x000001D7281A1000-memory.dmpFilesize
4KB
-
memory/1776-182-0x000001D7281A0000-0x000001D7281A1000-memory.dmpFilesize
4KB
-
memory/1776-180-0x000001D7281A0000-0x000001D7281A1000-memory.dmpFilesize
4KB
-
memory/1776-174-0x000001D7281A0000-0x000001D7281A1000-memory.dmpFilesize
4KB
-
memory/1776-186-0x000001D7281A0000-0x000001D7281A1000-memory.dmpFilesize
4KB
-
memory/1776-181-0x000001D7281A0000-0x000001D7281A1000-memory.dmpFilesize
4KB
-
memory/1776-176-0x000001D7281A0000-0x000001D7281A1000-memory.dmpFilesize
4KB
-
memory/2732-1029-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2732-1031-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3796-1021-0x0000000000440000-0x0000000000451000-memory.dmpFilesize
68KB
-
memory/3796-1020-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3796-1023-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/5348-1032-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/5348-1035-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/5808-1000-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/5808-1038-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/5808-1040-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/5808-1010-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/5808-999-0x0000000000520000-0x0000000000551000-memory.dmpFilesize
196KB
-
memory/5808-1408-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/5808-1425-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/6056-1027-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB