Analysis
-
max time kernel
115s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-03-2024 08:58
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Trojan.Win32.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
HEUR-Trojan.Win32.exe
Resource
win10v2004-20240226-en
General
-
Target
HEUR-Trojan.Win32.exe
-
Size
604KB
-
MD5
8b6bc16fd137c09a08b02bbe1bb7d670
-
SHA1
c69a0f6c6f809c01db92ca658fcf1b643391a2b7
-
SHA256
e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678
-
SHA512
b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24
-
SSDEEP
6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___0U7LZNA_.hta
cerber
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___P08IL_.txt
cerber
http://p27dokhpz2n7nvgr.onion/AC5F-BEBD-B6C6-0446-926E
http://p27dokhpz2n7nvgr.12hygy.top/AC5F-BEBD-B6C6-0446-926E
http://p27dokhpz2n7nvgr.14ewqv.top/AC5F-BEBD-B6C6-0446-926E
http://p27dokhpz2n7nvgr.14vvrc.top/AC5F-BEBD-B6C6-0446-926E
http://p27dokhpz2n7nvgr.129p1t.top/AC5F-BEBD-B6C6-0446-926E
http://p27dokhpz2n7nvgr.1apgrn.top/AC5F-BEBD-B6C6-0446-926E
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (1103) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 3156 netsh.exe 3612 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
HEUR-Trojan.Win32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation HEUR-Trojan.Win32.exe -
Drops startup file 1 IoCs
Processes:
HEUR-Trojan.Win32.exedescription ioc process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ HEUR-Trojan.Win32.exe -
Drops file in System32 directory 38 IoCs
Processes:
HEUR-Trojan.Win32.exedescription ioc process File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office HEUR-Trojan.Win32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
HEUR-Trojan.Win32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpB824.bmp" HEUR-Trojan.Win32.exe -
Drops file in Program Files directory 20 IoCs
Processes:
HEUR-Trojan.Win32.exedescription ioc process File opened for modification \??\c:\program files (x86)\microsoft\outlook HEUR-Trojan.Win32.exe File opened for modification \??\c:\program files (x86)\office HEUR-Trojan.Win32.exe File opened for modification \??\c:\program files (x86)\onenote HEUR-Trojan.Win32.exe File opened for modification \??\c:\program files\ HEUR-Trojan.Win32.exe File opened for modification \??\c:\program files (x86)\ HEUR-Trojan.Win32.exe File opened for modification \??\c:\program files (x86)\excel HEUR-Trojan.Win32.exe File opened for modification \??\c:\program files (x86)\microsoft\excel HEUR-Trojan.Win32.exe File opened for modification \??\c:\program files (x86)\microsoft\onenote HEUR-Trojan.Win32.exe File opened for modification \??\c:\program files (x86)\microsoft\office HEUR-Trojan.Win32.exe File opened for modification \??\c:\program files (x86)\microsoft\powerpoint HEUR-Trojan.Win32.exe File opened for modification \??\c:\program files (x86)\thunderbird HEUR-Trojan.Win32.exe File opened for modification \??\c:\program files (x86)\microsoft sql server HEUR-Trojan.Win32.exe File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server HEUR-Trojan.Win32.exe File opened for modification \??\c:\program files (x86)\microsoft\word HEUR-Trojan.Win32.exe File opened for modification \??\c:\program files (x86)\outlook HEUR-Trojan.Win32.exe File opened for modification \??\c:\program files (x86)\the bat! HEUR-Trojan.Win32.exe File opened for modification \??\c:\program files (x86)\bitcoin HEUR-Trojan.Win32.exe File opened for modification \??\c:\program files (x86)\powerpoint HEUR-Trojan.Win32.exe File opened for modification \??\c:\program files (x86)\steam HEUR-Trojan.Win32.exe File opened for modification \??\c:\program files (x86)\word HEUR-Trojan.Win32.exe -
Drops file in Windows directory 64 IoCs
Processes:
HEUR-Trojan.Win32.exedescription ioc process File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\ HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\office HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\steam HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\documents HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\the bat! HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\steam HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\outlook HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\office HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat! HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel HEUR-Trojan.Win32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint HEUR-Trojan.Win32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3752 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
HEUR-Trojan.Win32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings HEUR-Trojan.Win32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4636 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
HEUR-Trojan.Win32.exetaskkill.exedescription pid process Token: SeShutdownPrivilege 2680 HEUR-Trojan.Win32.exe Token: SeCreatePagefilePrivilege 2680 HEUR-Trojan.Win32.exe Token: SeDebugPrivilege 3752 taskkill.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
HEUR-Trojan.Win32.execmd.exedescription pid process target process PID 2680 wrote to memory of 3156 2680 HEUR-Trojan.Win32.exe netsh.exe PID 2680 wrote to memory of 3156 2680 HEUR-Trojan.Win32.exe netsh.exe PID 2680 wrote to memory of 3156 2680 HEUR-Trojan.Win32.exe netsh.exe PID 2680 wrote to memory of 3612 2680 HEUR-Trojan.Win32.exe netsh.exe PID 2680 wrote to memory of 3612 2680 HEUR-Trojan.Win32.exe netsh.exe PID 2680 wrote to memory of 3612 2680 HEUR-Trojan.Win32.exe netsh.exe PID 2680 wrote to memory of 2712 2680 HEUR-Trojan.Win32.exe mshta.exe PID 2680 wrote to memory of 2712 2680 HEUR-Trojan.Win32.exe mshta.exe PID 2680 wrote to memory of 2712 2680 HEUR-Trojan.Win32.exe mshta.exe PID 2680 wrote to memory of 4636 2680 HEUR-Trojan.Win32.exe NOTEPAD.EXE PID 2680 wrote to memory of 4636 2680 HEUR-Trojan.Win32.exe NOTEPAD.EXE PID 2680 wrote to memory of 4636 2680 HEUR-Trojan.Win32.exe NOTEPAD.EXE PID 2680 wrote to memory of 2716 2680 HEUR-Trojan.Win32.exe cmd.exe PID 2680 wrote to memory of 2716 2680 HEUR-Trojan.Win32.exe cmd.exe PID 2680 wrote to memory of 2716 2680 HEUR-Trojan.Win32.exe cmd.exe PID 2716 wrote to memory of 3752 2716 cmd.exe taskkill.exe PID 2716 wrote to memory of 3752 2716 cmd.exe taskkill.exe PID 2716 wrote to memory of 3752 2716 cmd.exe taskkill.exe PID 2716 wrote to memory of 3516 2716 cmd.exe PING.EXE PID 2716 wrote to memory of 3516 2716 cmd.exe PING.EXE PID 2716 wrote to memory of 3516 2716 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.exe"1⤵
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___P9KJ_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___MDST4M_.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "HEUR-Trojan.Win32.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4012 --field-trial-handle=3044,i,17059189006398306756,4247826696353232857,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___0U7LZNA_.htaFilesize
75KB
MD5f47a621ac3a33d1f8c4602798c2fd161
SHA15948b79aac0c38b76c62f7c586fc0f057173a977
SHA256d089101351a4fd650de6d9082979974528b066f3ed4fe45eba74cc1a35664c89
SHA5122837e3eadf4541f07f893860df78f0f72f4b99e3b867aed6989354de0cfa0f67046c9e25bf7311ecaefecdbcee1283ee68ecc39e299c4de35671416815d89219
-
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___P08IL_.txtFilesize
1KB
MD56c6100a6ac73f6d840e3ea66a86c7de7
SHA1b29afcc8dc524545e04467781d7883d54f821bc9
SHA2567898404dda71419481d3b2b22d8c7548bcfcd9540294b3c585f3d4efdbe3c652
SHA512db3acf59500378c9c024c20678d057c98b30c00455abe1faba19622f83f3f64e12368b546a2246f6252593ee586621e11f6f47066d87189d3faf4aec9038feaa
-
memory/2680-19-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2680-6-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2680-12-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2680-13-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2680-0-0x0000000000740000-0x0000000000771000-memory.dmpFilesize
196KB
-
memory/2680-22-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2680-33-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2680-18-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2680-2-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2680-1-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2680-392-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2680-411-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2680-418-0x0000000000440000-0x0000000000451000-memory.dmpFilesize
68KB