Resubmissions
12-05-2024 01:48
240512-b76v7aah2s 1012-05-2024 01:47
240512-b7qtzadg23 112-05-2024 01:44
240512-b5tsvaaf8y 8Analysis
-
max time kernel
262s -
max time network
262s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 01:48
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://bing.com
Resource
win10v2004-20240426-en
General
-
Target
http://bing.com
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___QN71WDH_.txt
cerber
http://p27dokhpz2n7nvgr.onion/5F0C-35CC-CFEC-0446-9ECB
http://p27dokhpz2n7nvgr.12hygy.top/5F0C-35CC-CFEC-0446-9ECB
http://p27dokhpz2n7nvgr.14ewqv.top/5F0C-35CC-CFEC-0446-9ECB
http://p27dokhpz2n7nvgr.14vvrc.top/5F0C-35CC-CFEC-0446-9ECB
http://p27dokhpz2n7nvgr.129p1t.top/5F0C-35CC-CFEC-0446-9ECB
http://p27dokhpz2n7nvgr.1apgrn.top/5F0C-35CC-CFEC-0446-9ECB
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___QVO3ZM_.hta
cerber
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (1129) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 6068 netsh.exe 5360 netsh.exe -
Drops startup file 1 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ cerber.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 118 raw.githubusercontent.com 119 raw.githubusercontent.com 144 raw.githubusercontent.com -
Drops file in System32 directory 40 IoCs
Processes:
cerber.exeNOTEPAD.EXEdescription ioc process File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint cerber.exe File opened for modification C:\Windows\System32\jigsaw.txt NOTEPAD.EXE File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! cerber.exe File created C:\Windows\System32\jigsaw.txt NOTEPAD.EXE File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook cerber.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
cerber.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp9905.bmp" cerber.exe -
Drops file in Program Files directory 20 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\program files (x86)\excel cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\office cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\onenote cerber.exe File opened for modification \??\c:\program files (x86)\office cerber.exe File opened for modification \??\c:\program files (x86)\the bat! cerber.exe File opened for modification \??\c:\program files (x86)\word cerber.exe File opened for modification \??\c:\program files (x86)\bitcoin cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\program files (x86)\outlook cerber.exe File opened for modification \??\c:\program files (x86)\steam cerber.exe File opened for modification \??\c:\program files\ cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\powerpoint cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\word cerber.exe File opened for modification \??\c:\program files (x86)\powerpoint cerber.exe File opened for modification \??\c:\program files (x86)\microsoft sql server cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\excel cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\outlook cerber.exe File opened for modification \??\c:\program files (x86)\onenote cerber.exe File opened for modification \??\c:\program files (x86)\thunderbird cerber.exe File opened for modification \??\c:\program files (x86)\ cerber.exe -
Drops file in Windows directory 64 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\steam cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\steam cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\documents cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word cerber.exe File opened for modification C:\Windows\SysWOW64 cerber.exe File opened for modification \??\c:\windows\ cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\office cerber.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exechrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4996 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133599523490700352" chrome.exe -
Modifies registry class 44 IoCs
Processes:
NOTEPAD.EXEOpenWith.execerber.exemsedge.exeOpenWith.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5a00310000000000ac580a0e100053797374656d33320000420009000400efbe874f7748ac580a0e2e000000b90c0000000001000000000000000000000000000000132e1501530079007300740065006d0033003200000018000000 NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" NOTEPAD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff NOTEPAD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings cerber.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3906287020-2915474608-1755617787-1000\{2039A9EB-1291-48DB-83E9-3E9F40AB60EC} msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 56003100000000009a586967100057696e646f777300400009000400efbe874f7748ac580a0e2e00000000060000000001000000000000000000000000000000ee349b00570069006e0064006f0077007300000016000000 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 NOTEPAD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" NOTEPAD.EXE -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid process 752 NOTEPAD.EXE 5604 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exechrome.exepid process 3008 msedge.exe 3008 msedge.exe 3168 msedge.exe 3168 msedge.exe 3240 identity_helper.exe 3240 identity_helper.exe 3384 msedge.exe 3384 msedge.exe 2188 msedge.exe 2188 msedge.exe 696 msedge.exe 696 msedge.exe 696 msedge.exe 696 msedge.exe 2440 msedge.exe 2440 msedge.exe 1728 chrome.exe 1728 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
OpenWith.exeOpenWith.exepid process 1704 OpenWith.exe 4180 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
Processes:
msedge.exechrome.exepid process 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
cerber.exetaskkill.exechrome.exedescription pid process Token: SeShutdownPrivilege 3920 cerber.exe Token: SeCreatePagefilePrivilege 3920 cerber.exe Token: SeDebugPrivilege 4996 taskkill.exe Token: SeShutdownPrivilege 1728 chrome.exe Token: SeCreatePagefilePrivilege 1728 chrome.exe Token: SeShutdownPrivilege 1728 chrome.exe Token: SeCreatePagefilePrivilege 1728 chrome.exe Token: SeShutdownPrivilege 1728 chrome.exe Token: SeCreatePagefilePrivilege 1728 chrome.exe Token: SeShutdownPrivilege 1728 chrome.exe Token: SeCreatePagefilePrivilege 1728 chrome.exe Token: SeShutdownPrivilege 1728 chrome.exe Token: SeCreatePagefilePrivilege 1728 chrome.exe Token: SeShutdownPrivilege 1728 chrome.exe Token: SeCreatePagefilePrivilege 1728 chrome.exe Token: SeShutdownPrivilege 1728 chrome.exe Token: SeCreatePagefilePrivilege 1728 chrome.exe Token: SeShutdownPrivilege 1728 chrome.exe Token: SeCreatePagefilePrivilege 1728 chrome.exe Token: SeShutdownPrivilege 1728 chrome.exe Token: SeCreatePagefilePrivilege 1728 chrome.exe Token: SeShutdownPrivilege 1728 chrome.exe Token: SeCreatePagefilePrivilege 1728 chrome.exe Token: SeShutdownPrivilege 1728 chrome.exe Token: SeCreatePagefilePrivilege 1728 chrome.exe Token: SeShutdownPrivilege 1728 chrome.exe Token: SeCreatePagefilePrivilege 1728 chrome.exe Token: SeShutdownPrivilege 1728 chrome.exe Token: SeCreatePagefilePrivilege 1728 chrome.exe Token: SeShutdownPrivilege 1728 chrome.exe Token: SeCreatePagefilePrivilege 1728 chrome.exe Token: SeShutdownPrivilege 1728 chrome.exe Token: SeCreatePagefilePrivilege 1728 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exechrome.exepid process 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe -
Suspicious use of SendNotifyMessage 56 IoCs
Processes:
msedge.exechrome.exepid process 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe 1728 chrome.exe -
Suspicious use of SetWindowsHookEx 49 IoCs
Processes:
OpenWith.exeOpenWith.exeNOTEPAD.EXEpid process 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 1704 OpenWith.exe 4180 OpenWith.exe 4180 OpenWith.exe 4180 OpenWith.exe 4180 OpenWith.exe 4180 OpenWith.exe 4180 OpenWith.exe 4180 OpenWith.exe 4180 OpenWith.exe 4180 OpenWith.exe 4180 OpenWith.exe 4180 OpenWith.exe 4180 OpenWith.exe 4180 OpenWith.exe 4180 OpenWith.exe 4180 OpenWith.exe 4180 OpenWith.exe 4180 OpenWith.exe 4180 OpenWith.exe 4180 OpenWith.exe 752 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3168 wrote to memory of 4572 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 4572 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3236 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3008 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 3008 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 440 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 440 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 440 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 440 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 440 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 440 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 440 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 440 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 440 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 440 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 440 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 440 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 440 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 440 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 440 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 440 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 440 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 440 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 440 3168 msedge.exe msedge.exe PID 3168 wrote to memory of 440 3168 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://bing.com1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0ddf46f8,0x7ffc0ddf4708,0x7ffc0ddf47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2728 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=2704 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5620 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6680 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,9739207685916324140,8343806742433325016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Jigsaw.zip\jigsaw2⤵
- Drops file in System32 directory
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Cerber.zip\cerber.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Cerber.zip\cerber.exe"1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___6WZK4S3_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___GSFZRX_.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "cerber.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbf9a5ab58,0x7ffbf9a5ab68,0x7ffbf9a5ab782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1940,i,10818019041049231597,14075374291420223989,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1940,i,10818019041049231597,14075374291420223989,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1940,i,10818019041049231597,14075374291420223989,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1940,i,10818019041049231597,14075374291420223989,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1940,i,10818019041049231597,14075374291420223989,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4396 --field-trial-handle=1940,i,10818019041049231597,14075374291420223989,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4540 --field-trial-handle=1940,i,10818019041049231597,14075374291420223989,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4660 --field-trial-handle=1940,i,10818019041049231597,14075374291420223989,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4388 --field-trial-handle=1940,i,10818019041049231597,14075374291420223989,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=1940,i,10818019041049231597,14075374291420223989,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1940,i,10818019041049231597,14075374291420223989,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4704 --field-trial-handle=1940,i,10818019041049231597,14075374291420223989,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3948 --field-trial-handle=1940,i,10818019041049231597,14075374291420223989,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000aFilesize
199KB
MD5585ac11a4e8628c13c32de68f89f98d6
SHA1bcea01f9deb8d6711088cb5c344ebd57997839db
SHA256d692f27c385520c3b4078c35d78cdf154c424d09421dece6de73708659c7e2a6
SHA51276d2ed3f41df567fe4d04060d9871684244764fc59b81cd574a521bb013a6d61955a6aedf390a1701e3bfc24f82d92fd062ca9e461086f762a3087c142211c19
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
524B
MD586870f7b1141f1215e9ebbef7cb21906
SHA1bba791486f4cbcd7ac3103fa77135bb1a7d92579
SHA256290420ccf3097697f95076be4affd2ff0b336810615a5c8ab558fedb4dc4dd3e
SHA51299ced8d8db079dd14ac42f773237fb433825abb7fbcaeb21536f689681116ee6780cc4ffbaa69593774b2fb6379bdd32b0b197b515ba89906c47fc7474c7d0d4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD5f874af68001c719c30adbf582e18a138
SHA1ff4287fb08e3bb1c528ef8587a8f6604c2333b67
SHA2562783322ce090f696bcaff4f4cca5d3bc531bd3b416d1d8c0bfb324dc9d53fb95
SHA5121ff3b4d94928483ba03ad288b63452967c0dcf5bdb35ea5b43676b0d3b3a9a95cc85fb4546a0d6597090e383656f5bf30901ce707600ed1daf866c64af6d79b7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD5b9d00bfbdc84156797c4f506b9a180a3
SHA116965b7c6d1422dc9855113a86b68007b6191068
SHA256b9808211c703232cfa9a998787502e87203cd47393eaa6de90ef5982ab1f098f
SHA5127983242f1720b316cfe51201800879189b8d61fbe2f7e70193a25025618092588e4cfae18636753c01d23175d087e9fcb86a261262f71c11521a7c4a1ba4f935
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
258KB
MD532cdc8854573acb995609712ec400f84
SHA1b444ae9c697958517720bac29adb6bf684c6578e
SHA256a499d21192d6ae412ef14be1ab0178766383f43006065c62a3df6dd3f440b7bc
SHA512b0eff41a3dbd6b17168f15a249ac510a79827fc00a4a4d3688dbd8599b36b199624024c0d17c405b7e9afc7a779dd788b97f025b869346ada2e9243682cd5d08
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
131KB
MD5dcb365d346c5be27fb01292f198addca
SHA11773ea317da6a30649a373b6b38d2521291be57b
SHA2566920c49191bd976a30010e047bbeeb129fc57358cfb3cda87c8ef13bd632fa85
SHA512622205d846d5e989c0a622bfa3ea959f8e485a8babfc5855a47f239d702de469a8a1af0dc95ca2d092ee179146b274026c5463bee835a42f52d6bc127f235c9c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\147f7575-73b0-4353-b8fb-f1437c4f2468.tmpFilesize
11KB
MD52c1d64ad600201ecb813598847890a1e
SHA13e16381afb4ef45d082b87ff69ad921b8a4a7592
SHA2567b7ff6516f1a83862053e15b936ea0ad22f4a3c7438c16243af253aa221d2906
SHA512a242686062efb1707c3cccd3a07a755de7a3b45050b4f5d1f57d4ba250eb3d115abf62899d8d83d55aa01edb512682a450d4a6e9a01e99ba5d35e947c3358077
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ae54e9db2e89f2c54da8cc0bfcbd26bd
SHA1a88af6c673609ecbc51a1a60dfbc8577830d2b5d
SHA2565009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af
SHA512e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f53207a5ca2ef5c7e976cbb3cb26d870
SHA149a8cc44f53da77bb3dfb36fc7676ed54675db43
SHA25619ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23
SHA512be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008Filesize
1.2MB
MD5b76a36f694fd69b229872393bd33b65c
SHA1710ebf0e68bb65f2faa4356abe17f3d164e8b943
SHA2561942ea4d2f0b066d0bbf102d25490e01e3843a204b2cc3cf2b721a7f7ddb9712
SHA5128e4172f38b9b32658717de15c38f5b0c4dfcdbeb73424e6ba4f08981c868fdc240eb5776452f0a71395df2d0bc441f3f88ffaead5860fa672d992a94fb868a26
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000bFilesize
69KB
MD5aac57f6f587f163486628b8860aa3637
SHA1b1b51e14672caae2361f0e2c54b72d1107cfce54
SHA2560cda72f2d9b6f196897f58d5de1fe1b43424ce55701eac625e591a0fd4ce7486
SHA5120622796aab85764434e30cbe78b4e80e129443744dd13bc376f7a124ed04863c86bb1dcd5222bb1814f6599accbd45c9ee2b983da6c461b68670ae59141a6c1a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000cFilesize
39KB
MD58facf4d1ac6ff2520d3f9536ec0ba688
SHA105a661afe1d0f83e9566498cb4b895f1c90beae7
SHA256a7d8fbd8a9794a97d9ea3752e450a700c2e295a681b4fa7a21affedc4fdb1a9c
SHA5122cf271954eae3bc8766c3e19215732ee46591cbc3492b24d96cd26376be64dedb711c5d4962377b559b37c097aa267992ef380ad02bd5706435679076805a1d8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000dFilesize
62KB
MD5c3c0eb5e044497577bec91b5970f6d30
SHA1d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA51283d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000eFilesize
19KB
MD576a3f1e9a452564e0f8dce6c0ee111e8
SHA111c3d925cbc1a52d53584fd8606f8f713aa59114
SHA256381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c
SHA512a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD5bf036117f156824543d8391422b03b37
SHA169b0ccb546e88d76007f21c23829386007a65ebf
SHA2565cdb28601c60a0c9a4618d3f014bee804871aaa8d1b2dfe690e5b5484c1ef4f7
SHA5128072831a56a6c35d282c51ca2fa9f93c43ab71afc6402e4d26fb141528020565bf54a7fe7c7f08f582ffe70ca791acf6193f6eb9dee17173486e93e78a64549e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD52a959ae4604246ae66eb603d307c92f1
SHA151fd27d31bdd0f9af3b218b30875d27c4a627dbf
SHA25697f28212f7e4eac9d6c71f6ff8c51748ced0d64af61ab898e7d27b0d2f5a1d40
SHA512f605a9d12649ff7e092e899b9d3258f192ea8037bd6dc9a528ebf381dd16cb6a5db20913a5b49f5c189500287f49f9d0819fdd05626a0de22010ea475befeff0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
624B
MD5aa697d6d5f49420bcf9f44a319daf123
SHA175236933c5c44ff619827cce99a7cfc1ea6f9f4f
SHA256d0beed1768961df6034c36b93832ab819d15d8f0fdff854f5db4d7a6f147c4c8
SHA512f57cfd58eece753cf091c23144ad425539e959aae65fda55df6941a31de49b6e127b596b892956990d96c62b74eac01c538cd0caa8f1f99d23328ac345af04f1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5dd13f1a0ed1e78af17a07bba733cd619
SHA1ed450042e5ff5a9b004750c85401c6645cd24409
SHA25613f83a6dcf7f22d24daf5fef79ab3171001517b2d251f73a7e186d357e068a82
SHA51224325455812481a3de1f196f9238037c54269f360eda9444558b6f576e489382dfe4bb3c583ac10a89ddbdea121362bd0e3b52fc3a3e39e3960cd4333742ab00
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
837B
MD592bc43b258464901a70c4fb70b943c25
SHA15363e38a8d6a311d7b2c907c41b9e86ca2b7677d
SHA256b9505cf6b474561cc18636558fe2eb21bfeae5ff8fe6eff85588d7ebe851650a
SHA5121dd522f541c2b71af2a26f0e5cfa7c6823cc6bbf2bad45daf2b6824ac8114f661fdef5e72739d8bd6e1446f056abb93c0390e7b9781c8e3a61dfa492053a6bef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5149e6f366738a7fac1e05cc43ee452c3
SHA1e3a9b450e9ba456f3af822b39fd304161c0ad40a
SHA2568355de2b9e4f3788e372fb3ee9093fce55f668c2112f7103c5f1b07f7fcbf212
SHA5126f42f32fbe87eae94790dbb2c03e492011213258849b33494b86dfa29113211f889338fefc838f0dea55e510a316fe8fd5f3a71cfe28814f30bcfb102bd0e07c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD53cb7a05f6a6851e41e3e6c0018aae31d
SHA170ea70e38d41dc41d061cb2c6f90a0bba662ff75
SHA25674ac1e3990504dc6e32500bd263fcc61594a3ea33f8584d7f987fd853bd5eeef
SHA51200187205c409114d98a91b5e87879c4fefe21a4f295d6c3765e5105719b4be62693bf8fa4ff76e9540f75be50297d7e9d79e8299ecd8d3dd9aea79b09d4027b5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD52eafc37263b8a80681ea3cbdcca37c20
SHA10c50f46a66bead0bd63624432be6bf6b445ff74c
SHA256ad06b129c1b99df0aacc8ca761e7b15c9917eb8631184d8bfef3bb4df41797a0
SHA5129abde152350002961161b8d27e861e706851a39d68979a052662d26a3aa32d56e08029e74dc4adbc542c324fe662fb46185878cb7dd322b896fa7c3aeb37c35c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD56ae1488433ded6bf7f17f8bf42682923
SHA1caf6ca426d0aaa1048ac1cbd6741f80c0a1c4ebc
SHA2564e0b16c64385403005ed024d1585062225ba184ba88acb2c0c17c1cf7157f549
SHA512ee3cad6f5d5803566e28dfd9a08e148f50231fd67944f04c9317627551b5c41fc3f486ae8a3461e4fc58f6164ca6fe6dfa653195dffbbb3bd076a8d7b7fec950
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD57a5b7b5e756f13e36f2984ff4998e4cc
SHA18d57429882e25829711c6b8fbf776408332333b1
SHA256498192330be6fddd4382c63db6580f37b6c9e4e556eaa2cd3194040368c4f189
SHA512ee0956b9ebf44541cf72833555e2e6fadb0c6860f874821a1cf6fe618f19313c16059dc7f9338542bdb1c3e8a3e64c298509ad7607cfa5db938f6522e6392157
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5c9068cb3ff238eab38b3625e1093d223
SHA190ca29c320352a26f661de6432acce71fff85296
SHA256e55d2730af411138cb1c6eddf3dec6da6dd7fd495b01cddd3720567f7c4457f9
SHA512bcedb735e2f36eb7d3a49a2ea85fea0e8fdbdd18770cc566f56b800927507f0d2760d69610351abee01d0ca1442219d15735c3dae8725a09bee227b8eb4ce651
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
534B
MD5e58bec24bbe93e9cf0711d9bf89d00ec
SHA1ef00ad46ea0af8c794e6bb4d18bd811de27d8521
SHA256ac5f3a5f835292a14598236566072200e4334d2c1c9095ff2b34432374525aac
SHA512c1671773a46ad87f39fa736e962deb6a33ed9177fa39c055c54f75c67c4f321e8a2014856ea021162ffcd33863da79dd6953e4a80ff651e0061ffdc6e91501da
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5f3fb1b27bb6d1d02a995cd95550fc657
SHA15f3882a3190376efc5d6631647242e6d1de29d9c
SHA2566637066a8a4c0ffdce108f6b6cb3b034bf1035fae6e5290b7197da644ccd81a8
SHA51224a9b754c0f7ca997c00f29334f34f3b5148876562304d235bbb4e7710f2713c9ba51eb160a18f1371efe6290f8b4989a116e58caff8237332cbc81406d9faed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD59fb85080466b5656d0bac9027c9d5491
SHA16f7de0569599040aa11c169d059ed45e2be2ebf1
SHA25615eaf0917c224c004f7cf1bfb75bb13bdc4562e6c5a56083e2cb3fb7f79385ec
SHA512af55b1cbc3dd65f0060e12feea68d7388a56e029dbee7706caeca28ae9a34888c679903259c5e86323fdbcb21398071e8efe6c70a92a102758388c2d1963dfd7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD58044e5290d3d436a872b337c30fd41b8
SHA1c47ffd3a21c3d450d92f08adcecaeaa77e257e4a
SHA2562ba96987eb28fcac25431407a155215e034534679004d7f0444a1a993a6def40
SHA512203ffcc02fb0eea73088dd48407d5bd3b134417c40c5417dc9f2de61f4982c143bac0200359104bbd2b30dbf25ca604b9d6fa962dc0fd5eb135b03493d0aaa56
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582aa5.TMPFilesize
534B
MD5178b9a1df6483bb94ad341d4360b607d
SHA123feb6726bfd15f604a57d0dffdd99a1c7ccb656
SHA2562843a9e1e7e334e3257cfe481e8e143b2b68feb0e4a2877a46e43d92b9afdc91
SHA5122f6c6915646a4ef51b6450e5dbe8cbba4e90176fd13999af61d7ab0e5eb62bb74cc9ed9aa1fc547e977728e5659f64f91b264fb1167d44a018a32ab9d088cd0f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bd02ee73-66d5-4b4a-adce-1b2fd5f16b46.tmpFilesize
5KB
MD539420386854c719831e20ba318b72e50
SHA1c69ca589e1207cb1432e5b0520c67fe5b6d1ee1a
SHA256cdf88d1100155859ec9dbaecf65b8627f1a8cc91da6699bb9e687baca7a09e30
SHA512e4a909b91f5bc55f056ae02904f056358278fcf355fa428a9a205ee27ba4737b464e9e4069d1753889b0f47e53cdce2aefadf5921d201c44c7bd2bfcf2422cee
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD566e0f60b1c729576c9a17872362c1621
SHA1ab68609dec00d04947f7bbef7922c24d7589def5
SHA25674c3be8eba5535a3573341184b421069d4cf3e97f6b2ee400cf3864f949bd260
SHA512430da028d6bc8b463d778792672f1d37cecbd33a91f31f65645d8e0974965795114b6ed84128e1aaa0bc29fe5e7f2f7f4c1fd01542b3c50d9e5e82b7a62638e4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD57181f638a67511d91cd4d9abacb486f3
SHA15d6f67fd3999fe9e64f294d69c80eb878467a7fc
SHA256fa11526268ce5b707316710307d813904c603fab4bc3e5cc00f25af0ef3b2d38
SHA51275c9527ef7f3f76f2f503f5fc9364a70fbc02c727e9c13a07217b1f371ec5315054915ea09bb033f62fa80870eb1a0fb66d35ae0dc692cc6c391b3facb80a108
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5e972dfa504db664d447ef4bad29c8675
SHA128450cb62eac907e288336de9535463ec29ce7dd
SHA256ee059bc07c7d3a1b8bfd53b1d103d96f91c7061310e31a1b2249b135411c65b5
SHA512c986f383396fcec046fae56b855b65d495bcc363f8cd567c51f7c6cd55ec8a395491e2388f3ea19a2b79ffd92ce83143b29942794eae123d90c10fe6bf1550cb
-
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___QN71WDH_.txtFilesize
1KB
MD595bfb78b018a28312b1caf5e64624cfa
SHA14931333efee8c6a2a634c599a5574c177faf42a1
SHA25684002c24308230d672d4fe7461aec710b83b4b53b43ff3d54834b8453f101531
SHA512604c0e3fc030ebb936ab55a0a5ce6b4e0539c67a96f11e83d617602036b270cb1c00b7c491a6cf19f2a8285a5ef7df30b6019901d51228f535d5d7ced6510ccf
-
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___QVO3ZM_.htaFilesize
75KB
MD55dff664da8ce4a6d6fcfb4d14aa834ba
SHA12ae867d719dfcc60af627f73263f7bc8a73acbcc
SHA256f2a661ba10503b2e26e6a1e910092c37ee349317f03bad39798978030292e94e
SHA5121a4eb96292d158570135d5220cbac0d449562b2ea052198c9cfc91139804ad3aced7ed2577ca6107aad0db14e818ff1f21860323b34332d4081b8eec78ebac3e
-
C:\Users\Admin\Downloads\Ransomware.Cerber.zipFilesize
215KB
MD55c571c69dd75c30f95fe280ca6c624e9
SHA1b0610fc5d35478c4b95c450b66d2305155776b56
SHA256416774bf62d9612d11d561d7e13203a3cbc352382a8e382ade3332e3077e096c
SHA5128e7b9a4a514506d9b8e0f50cc521f82b5816d4d9c27da65e4245e925ec74ac8f93f8fe006acbab5fcfd4970573b11d7ea049cc79fb14ad12a3ab6383a1c200b2
-
C:\Users\Admin\Downloads\Ransomware.Jigsaw.zipFilesize
239KB
MD53ad6374a3558149d09d74e6af72344e3
SHA1e7be9f22578027fc0b6ddb94c09b245ee8ce1620
SHA25686a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff
SHA51221c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720
-
\??\pipe\LOCAL\crashpad_3168_AWNVBTKBJSSDOWMIMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3920-851-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3920-1257-0x0000000000440000-0x0000000000451000-memory.dmpFilesize
68KB
-
memory/3920-1256-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3920-1216-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3920-1207-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3920-855-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3920-827-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB