Analysis
-
max time kernel
199s -
max time network
207s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-05-2024 13:50
Static task
static1
Behavioral task
behavioral1
Sample
untitled (1).mp3
Resource
win11-20240508-en
Errors
General
-
Target
untitled (1).mp3
-
Size
1.7MB
-
MD5
e61f2a7879d026fe086e64383d2cc529
-
SHA1
2031177895450a62cff857c8ca09bfc42bb98b5c
-
SHA256
61911ded704677bf4c85ec5a795cc21d4cc97d422d984cad9135b7ce8956c544
-
SHA512
ad91ade31df9b81ea8cca2821d72a2864ac915dfb05842c260e10d661544d48c710dfb08f65d9bfea8827a0ec124e911da890b8e30c31573e236d6ff3a1c4f29
-
SSDEEP
49152:Z6Y8IL6xr9Bv+Wf1b/2Wpr9p2ff/g8NpL3uALN1:ZYwsB2Wfd/hr9p23/g8N5JN1
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___2RIFC8Y_.txt
cerber
http://p27dokhpz2n7nvgr.onion/340A-4374-06FD-0446-9DDA
http://p27dokhpz2n7nvgr.12hygy.top/340A-4374-06FD-0446-9DDA
http://p27dokhpz2n7nvgr.14ewqv.top/340A-4374-06FD-0446-9DDA
http://p27dokhpz2n7nvgr.14vvrc.top/340A-4374-06FD-0446-9DDA
http://p27dokhpz2n7nvgr.129p1t.top/340A-4374-06FD-0446-9DDA
http://p27dokhpz2n7nvgr.1apgrn.top/340A-4374-06FD-0446-9DDA
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___8FF7_.hta
cerber
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
NoEscape.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe" NoEscape.exe -
Processes:
NoEscape.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe -
Contacts a large (1108) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Disables RegEdit via registry modification 1 IoCs
Processes:
NoEscape.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NoEscape.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 344 netsh.exe 1416 netsh.exe -
Drops startup file 1 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ cerber.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
NoEscape.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini NoEscape.exe File opened for modification C:\Users\Public\Desktop\desktop.ini NoEscape.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
unregmp2.exedescription ioc process File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 1 raw.githubusercontent.com 34 raw.githubusercontent.com 39 raw.githubusercontent.com -
Drops file in System32 directory 38 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote cerber.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
cerber.exeNoEscape.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpDCCE.bmp" cerber.exe Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png" NoEscape.exe -
Drops file in Program Files directory 20 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\program files (x86)\microsoft\powerpoint cerber.exe File opened for modification \??\c:\program files (x86)\office cerber.exe File opened for modification \??\c:\program files\ cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\excel cerber.exe File opened for modification \??\c:\program files (x86)\excel cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\office cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\outlook cerber.exe File opened for modification \??\c:\program files (x86)\onenote cerber.exe File opened for modification \??\c:\program files (x86)\word cerber.exe File opened for modification \??\c:\program files (x86)\bitcoin cerber.exe File opened for modification \??\c:\program files (x86)\microsoft sql server cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\onenote cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\word cerber.exe File opened for modification \??\c:\program files (x86)\outlook cerber.exe File opened for modification \??\c:\program files (x86)\powerpoint cerber.exe File opened for modification \??\c:\program files (x86)\steam cerber.exe File opened for modification \??\c:\program files (x86)\the bat! cerber.exe File opened for modification \??\c:\program files (x86)\ cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\program files (x86)\thunderbird cerber.exe -
Drops file in Windows directory 64 IoCs
Processes:
cerber.exeNoEscape.exedescription ioc process File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\office cerber.exe File opened for modification \??\c:\windows\ cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop cerber.exe File created C:\Windows\winnt32.exe\:Zone.Identifier:$DATA NoEscape.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\steam cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\documents cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint cerber.exe File created C:\Windows\winnt32.exe NoEscape.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint cerber.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2388 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "235" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe -
Modifies registry class 3 IoCs
Processes:
cerber.exemsedge.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings cerber.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3433428765-2473475212-4279855560-1000\{29F3C7B3-0D29-4EF8-B1F4-E366678D6C6B} msedge.exe Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings msedge.exe -
NTFS ADS 3 IoCs
Processes:
msedge.exemsedge.exeNoEscape.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Ransomware.Cerber.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\NoEscape.exe.zip:Zone.Identifier msedge.exe File created C:\Windows\winnt32.exe\:Zone.Identifier:$DATA NoEscape.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1392 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exepid process 1636 msedge.exe 1636 msedge.exe 5048 msedge.exe 5048 msedge.exe 2624 msedge.exe 2624 msedge.exe 1876 identity_helper.exe 1876 identity_helper.exe 1044 msedge.exe 1044 msedge.exe 1416 msedge.exe 1416 msedge.exe 2568 msedge.exe 2568 msedge.exe 2568 msedge.exe 2568 msedge.exe 904 msedge.exe 904 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
Processes:
msedge.exepid process 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
unregmp2.execerber.exetaskkill.exedescription pid process Token: SeShutdownPrivilege 4676 unregmp2.exe Token: SeCreatePagefilePrivilege 4676 unregmp2.exe Token: SeShutdownPrivilege 2876 cerber.exe Token: SeCreatePagefilePrivilege 2876 cerber.exe Token: SeDebugPrivilege 2388 taskkill.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe -
Suspicious use of SendNotifyMessage 36 IoCs
Processes:
msedge.exepid process 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 5344 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
wmplayer.exeunregmp2.exemsedge.exedescription pid process target process PID 4552 wrote to memory of 1532 4552 wmplayer.exe setup_wm.exe PID 4552 wrote to memory of 1532 4552 wmplayer.exe setup_wm.exe PID 4552 wrote to memory of 1532 4552 wmplayer.exe setup_wm.exe PID 4552 wrote to memory of 3836 4552 wmplayer.exe unregmp2.exe PID 4552 wrote to memory of 3836 4552 wmplayer.exe unregmp2.exe PID 4552 wrote to memory of 3836 4552 wmplayer.exe unregmp2.exe PID 3836 wrote to memory of 4676 3836 unregmp2.exe unregmp2.exe PID 3836 wrote to memory of 4676 3836 unregmp2.exe unregmp2.exe PID 5048 wrote to memory of 3796 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 3796 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1396 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1636 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1636 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4092 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4092 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4092 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4092 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4092 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4092 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4092 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4092 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4092 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4092 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4092 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4092 5048 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\untitled (1).mp3"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\untitled (1).mp3"2⤵
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb57e3cb8,0x7ffcb57e3cc8,0x7ffcb57e3cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2496 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3916 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5528 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5176 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4564 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2264 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,2910179254615174246,1250415872111107526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6188 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Ransomware.Cerber\cerber.exe"C:\Users\Admin\Downloads\Ransomware.Cerber\cerber.exe"1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___90QBO_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___0F4DQKP1_.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "cerber.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Users\Admin\Downloads\Ransomware.Cerber\cerber.exe"C:\Users\Admin\Downloads\Ransomware.Cerber\cerber.exe"1⤵
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\a4a16bd33cc0447896e5f216c6d58309 /t 2676 /p 38801⤵
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- NTFS ADS
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa399a855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Modify Registry
3Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
1Disable or Modify System Firewall
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD523da8c216a7633c78c347cc80603cd99
SHA1a378873c9d3484e0c57c1cb6c6895f34fee0ea61
SHA25603dbdb03799f9e37c38f6d9d498ad09f7f0f9901430ff69d95aa26cae87504d3
SHA512d34ae684e8462e3f2aba2260f2649dee01b4e2138b50283513c8c19c47faf039701854e1a9cbf21d7a20c28a6306f953b58ffb9144ead067f5f73650a759ff17
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e4bf11ed97b6b312e938ca216cf30e
SHA1ff6b0b475e552dc08a2c81c9eb9230821d3c8290
SHA256296db8c9361efb62e23be1935fd172cfe9fbcd89a424f34f347ec3cc5ca5afad
SHA512ce1a05df2619af419ed3058dcbd7254c7159d333356d9f1d5e2591c19e17ab0ac9b6d3e625e36246ad187256bee75b7011370220ef127c4f1171879014d0dd76
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003Filesize
67KB
MD5d2d55f8057f8b03c94a81f3839b348b9
SHA137c399584539734ff679e3c66309498c8b2dd4d9
SHA2566e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c
SHA5127bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004Filesize
39KB
MD5395699fc7fc3283d3bade75dbffa446e
SHA1c9474c5a587fbd3a25c0992f1dfe7946e3b7abba
SHA256a184c8951b524d5a22d7bca69a0d775523e8c095d158f80ac4415d87d17acd1c
SHA51270749ca5fc0cc5b9b85d13ecde89ffffbc1af7b36a650be842ff303b0ed0ef49e8d9f3edb91324d42462446b882b2558abff235f42e300226e491432196ba8fa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008Filesize
1.2MB
MD5153d9573f0f824b040ac13793d95e406
SHA1f8a73c205962012c4fa5b93ccbc77d7b1be3b5d8
SHA256c70c12b65715e837682baf0eea8ff99a7531d9036b0b5a9d640def85df92d016
SHA5125e0f64f8d333be4fff5b869952fe18f3189d6af97bfce10aad8acae96153b790108351083f1b80c40d76cebdca35e5d7e0f3371c588a02c74e6ea0055a3d2b20
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000eFilesize
40KB
MD53051c1e179d84292d3f84a1a0a112c80
SHA1c11a63236373abfe574f2935a0e7024688b71ccb
SHA256992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3
SHA512df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000fFilesize
53KB
MD568f0a51fa86985999964ee43de12cdd5
SHA1bbfc7666be00c560b7394fa0b82b864237a99d8c
SHA256f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f
SHA5123049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD519f6635ad3ac4c8d3b8d3a9c15f55f3e
SHA1bac6c612c2ed086002e46c494950632ad4c3a2de
SHA256373996b813c8d4c4206c615585e0a14fadc078e6afc0cef2ce15294d09a06aa1
SHA512814c3a9c41e0f09cca3740adffec742d7702b2b74a68e7b3f335994939c81a91296111bcf696ed68637d12af565d44ab1c12ed83541d3802a551afc4442ee8a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD5b14f0c6caa817889125e7aaa50ff7282
SHA123cf63169e9d489eda1e020e6250f6de11d84ed3
SHA2566612d974b0c82579e6078637d62fb0dc2a26438767d5bb55dd2ce0f4c2d8d040
SHA5122af6276b123717f03f3fc896c5e4e4061cc804819681b2f11e94f9609a680a0a8c2e582673f1894b2a32249df860932f9031c4fc6e60bd576dd71ee34b32a7aa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
936B
MD5e119356d741275ae9f96f82031129508
SHA19064dca8621ea601e936e1a2254bd9d056def826
SHA2560184fc4dd1be146dd9d48c95c9d2e6ca7ba991b5db7897b88e9a5e7f8d91ac78
SHA512f141569105aac340e5958770ab25b77d2d910d6d3f5f237dccf6669eef95958f7665174e1186a94a81e3fb1ea5d761b982e81dc7ef9d7f654515129098a57c13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f0529f2640cfc7ba163baeacc58f14c3
SHA11ca33d25a093e03cb05b1672e7a2d546cc867874
SHA2566a73c8c66ba7b6eb91caba25587084ceaf0509c9cb2dcf6701b7dfbdc3aee779
SHA5129f4c8c269be5dab65fd9e89648a6133079790131512a651fd46af6ae051e2f1ca865dd2a23170442ad05f5ec46a2bd0d7e0d8495359ee13bbca9b38a798c0e55
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5171175263359ad679141bdad828a9ec1
SHA13b9997648f9e7230dd56aea079b1fa0232d872a3
SHA256591a4b18d31e259a03939503f3237a80e4abd4a24d7f5db69174cef1baa217ff
SHA5127f8f1a1ca060caae10b4f2171107f5c1e0ad0514e6940e4218bf37c54ed2b0b36cd855ffa78cd563da0efcb2c49fb260bb8462a7b173bef4bdf1aa4c5fdd5b6a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD55004842775de4ad7ef4fa49384b311da
SHA131a738b2d918e521f4e1db6cd8a65495a15e9652
SHA256660cc46c455e6e71000fb927a7caa43d50621359cb4270631d5bf1e2a00aa3de
SHA51271a2b4721ce0e7939c8fd4dc63e240e208a348db4c6bbfb96c72dc5b426dfd273691cc3d5af0805f7ba6b58b7722d3eb1f4cd2b90977191fa3a0530235b2eb4d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD583e24de4a938851c9542475730de6539
SHA188bff4da491bba64d5188edf546c7eda14f61648
SHA25602ba7617f8da11b820afb80bf45b81dc4bf949dcccb54b76ef46452caf91b1a3
SHA512d6e54c80885226d0764998abbaa76b278b9e141b19fe18fe06987ad55b2db399361506e7ee32aace219189b8318f87001dc6cef8a4f5b721c933c7e859c11d21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f89ba74d0155f44eb4b2dce84f76e51a
SHA18b8ec9bd6f9a21431be2863b9544544bece556eb
SHA2564b51b50212040a1ea339de8f5e762c771846de29d113a82249b411a3fc7f6a8e
SHA51275dbc4114fed3b443e9be64d1b59717ce1895be6189361cb46cb2b56b4b7de7f37efe6de765965f1577b5caa8c7a5b7d705518b4c248d27bcfc884541d73a9a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f812dddd9068ff068d3c691d89916b50
SHA10c38e2df452d6bc30a1f30d1be272e2857b04ede
SHA2569aa28dc562c1d2aa2c05545c1472c8e58d31b76321894afc170842eae134425f
SHA5124ca6dff03edfd66b1d63006e85496f78e21418c06c640dab9b38ed45cfbd9fb98dd45a6d581c0efe174f281fbe48a04a53d56991293a4fc52dbb99d42d2b808d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD520dfeefaa7e84063a3da3b343a772012
SHA1a86bf3b38128ee70bbd34d666b68816a6ccd709a
SHA2561099ba754325aceb520a14079d1f36a4908c4b496074839752fa3a44ec35a155
SHA512f4b311223ee190866fd6a64e0347b19f081f54f1d576a38930e435da843d69b6ac486d020994f4cfabaa246501ba6c48b0e99b47b88297ce22d2290f1b778b40
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5e4a597e6fc38d8b8d8dde3e006536d13
SHA1e33af1fef931fa64a23d75f75cd32f763225bee9
SHA256f7dd053cdba007ffd323abe15e3542f7c603b62f07d1569a7d2a3c5fd833698c
SHA51227204f2250bbab29d839f478be5ecc4a3377b468e00584b2f04ca6ec9a5b28bf87588c8e58fd1d2550f0468ca423c0e0f58a936e47bca654f3e7d2c66e7cbefb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD514e2fbdd0fa18d9ccddc868290d1a9b0
SHA13b4f1aad7a65e8fc839b05504952bcf22e730a46
SHA256ad8ad1d9abf31a6e99f77d3e4a5e6fea6962875cb94135cdd2d1e8f5274eaeec
SHA512b6fddb913702a41c9df107b066a1a49f21d115ad9c98e15c0c92edc4a21b8414628836360e91102c1046dedd9aa8d35f801f8d36e7151b1d0cd407ea6f02a257
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5daf052353eae22c0fecc8d6c61942fae
SHA17fc22b342858cfbcef2cd549bd06ee8039129e9e
SHA25694649b9d2e5b48738f9e35af24a49606faee483e6a7e89b2541c53c48d7f2a16
SHA512d33212b7ee4db10fc959e974d3a7165352d6c7ba733eae4af6735bb0fdde87305d3b2118038bec576ef9232ffd99685f0779d3b59846424bf661d313833a1450
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583563.TMPFilesize
538B
MD5d73a521d7637ae92e3f3c939e80ed9f8
SHA131630014c5c74bbd839e4051fd3a98a3f4bdade3
SHA2567348061e0dc97e6de6135d28079b468383603b9a769bd515fff1aded185c945c
SHA512751e1adf7112f9cf370f84d07866469238d10e2de662fe62376e25c46e20659d2c6b2a0b4d15602f71afa4bfdd6da2787cbc47b75147a0cda1038faf18ea2c1c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fc96755e-64eb-4485-be4c-34e17c4acc4e.tmpFilesize
5KB
MD5abfede02777d8513a72b9680b1901350
SHA1d6f75a0f8709c4c52783bb355248c802f36b0ff4
SHA256042e1fc1a417fa173e9f24ec4a601935030dae93c8ebd267ed13757a404e6fa5
SHA512cf278790c030fdbbaa0e041d9c55427703127cd841860f492ade8545e87dba6badaade9127351ec5114588825aaa687ed76adb208b1efb2bc98440483bfa280a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5e58489b35d01324ed2e38dd394489ac6
SHA17b658b4e8ce9a1b4ede30db31ebdd93fe5d4516e
SHA2564787ed6cca908d93339e7eef90f5ae2639b12bc5ec3ff33b2719ea741a60bd9f
SHA51220047b9c3e2c9f66da289e182f0b67ab19153c8ec7e9e6d1c83730915fcc2b2c15721606e163e88fea26534172be1cc9b5c2ab28b97dc841ddc64ac1efc337c8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5e11c73661cbc86381ea30f625a6823e5
SHA1ba953e968229f0e9dadaaca4e83013f99a635041
SHA2563e7f53f78440975dd725757463a0944c773b520cf3d5dcb2a94b683289813597
SHA512c2d7a173dfd667bb25158eec8508bc015de2fa645f03cd2865e33300e73a0d784963df8344605d567eabe9f55d750ef0c3d9311127f87205916d5b4ccb6201fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD52b2cf2a8f07f1ebd7a31df432037b180
SHA120a97d5b92d85c631fb0828482c206fa5896f855
SHA25638be67af3c03739ea2f40d61c14c6b3dc5d10a4715afea36add2173bed64573d
SHA51284e6d8fe0cdaf9427db8672ae2bb1c4741d518e19a79fe3827a71ae7354c636c1b3aa99f797fb9b791345127232eb2bd3438a4de13a0f34bce022bc3715707f7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5eafe705cfc921cf63b3dd704faaf8784
SHA15e135fdc3b304c180929d7d49d56ffbf23aef4e2
SHA256767a2896cf08edf2c8969d47c6fb68f592bd4c53fc4abc276c63765359258e68
SHA512a5ed50dc366c9660c4103c100772c6c6deddbd8f1fac1ce091afc726c91d96efab81666a5224a175edc9880f295a68d028bf6044240ce10954d190acad25009f
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdbFilesize
512KB
MD5857186c859d060552b6fcb3460ca6720
SHA1ec5af3abda49821a836846351fb57847113b0cb6
SHA2562394183378a8fcab423a331d7c2565cb707d6634678840a2c1ba5c2d8bbcfa00
SHA512d2be42b484d829fe7a0eb3bd5ed6aee170df8c819087e33107829f46ba208c3e6f180440c3ca0a88ff279f7475b54bcf197b8dbde6ccdacd22443741173622c0
-
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___2RIFC8Y_.txtFilesize
1KB
MD51df3d82ba7dca74a8e2b18e91eac1eee
SHA11c9e55ee14a6f980bf374c41e98ccb73d6455b0e
SHA256ec0fe1b5dc935b00659964cf708d5a3eec36efa0cc9bec13100f788fa0530e15
SHA512c9c5292f9bebd2e057e8a983bea936e72aa059ea087fde0f1cf5a260c303b549f5aed9fb91500435af4f0340fb35c62cad76407dd60fea03a9faac316660d006
-
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___8FF7_.htaFilesize
75KB
MD58b91194b1938e1c824b9036a2d3cf7a3
SHA17d6eed11ed9a41ef6ee62423d32078bdbcaa0a25
SHA256a7a9ac45096523f211921cfb7cdaf3d325dd15ef8e66880c0074611e1c73588a
SHA5124e065d9d603778a306b175f6a612fad75194b34cf64b053ac9daf8ae34a64278ff889b312c957ed6216a84ebe2dc8b6db7a6ed4f20fe325912c9ec4a26cc0fee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bakFilesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Temp\wmsetup.logFilesize
1KB
MD5c854e96cf2c0e42d582abc13b1fa9adc
SHA1a88521aa1af51068f44710d120fceeb777889c11
SHA2565b4c4aa782de953c2ae884855abed5db6c261650120cc9158fda940fd80224cd
SHA51279b5579476785c75278af255c17990ddad75321e3a6c85b3491af1b37c156ca9995fafbd4a51a4994f39c186f9732bdabcc86db19ef64e0c41090cf4c1efadf6
-
C:\Users\Admin\Desktop\2SjE0qZggO.b460Filesize
466KB
MD51dcd36ebb58f619b73ba4c22eabc7b6f
SHA18c1851880d05b81b4ef6c3f6d75fdae7084776dc
SHA256ad9005bae84399dcbf6725de710307485330ba8f9ce3c79e6ff5cb53f5c01bfe
SHA512a987468827f59ef8b2740d23bf32702774835829e703a5baf0f6c7a6ab29431d229f921158de7f0f1ee31dfea9e171a1c8cbcf2ac7e31fd37e6917809cfa880e
-
C:\Users\Admin\Desktop\387yPxlj0v.b460Filesize
871KB
MD5afab66c4cf6cda67ada04862ccf3738f
SHA1567d4bcb8f29097baf82bb8d485a09dabc45ded3
SHA256c4ceb5312faa6ad755ed2f598e6f547109a2fd74ee2e59b8b9e7718705a44c59
SHA5122ee8f2278ed56f22bfcf7d88786419ef723592f1b9fad61dcd837b0f680f214ad7ca62899914c7a0cf43bcc535159659921f7826e1efdbabc4abccc5c73b5080
-
C:\Users\Admin\Desktop\6NfYpLu5vn.b460Filesize
585KB
MD519ae31958162245a31d9632b1d6be0e8
SHA17e56c43a6cc850b17bec838fa02f241ce33f694d
SHA25669a71ff93d3e8eeab42d507e73760cae0d38233c922a1c05f2931c816ee02054
SHA512b17af5ee632a4ce2f51bd42783db54f8d225ac5d2b66358eedb18ed8bb273b3c3828e72d9692ed396ca2d7a682f84ddf248a917efa1f812db0a28223f3f5aff2
-
C:\Users\Admin\Desktop\9j6ku-fXXo.b460Filesize
346KB
MD567684c17a92f185468e752df6eb5088b
SHA13ee8fae37914bc9b8bab40b71aee10ecb2142db2
SHA25630e640090e85aedadb077fdeede5aa547d1d45a3ae03760edf38641245b7d20f
SHA512dc72943e1e9d41e6e3e4666a139cd9e6612f86d2914ed4fd875edd98dbf23b8683c0fef608fd5e47baadaf58b0a5ba6f28184eedc620fcdbc0b427ff260ff887
-
C:\Users\Admin\Desktop\CuMCFMKm9K.b460Filesize
418KB
MD52d5ac001a71967ffa6f868c157bccba5
SHA1ca551cdff2db1dacefa04522796c593a99891361
SHA2569fa668deef2351afedfe7b14914d79f2b20fb387c83eb46ab92e499fe51dd94c
SHA51203ad33fbe8a295be6200e4a8d04add5b1b5d6bebaab6b46fc9b7a27d08af7aed39ba59fdd3f8f7887faa49324742395fc685e8d148b792e4e8fff10b3079086d
-
C:\Users\Admin\Desktop\DXCnVcFyMq.b460Filesize
848KB
MD5cbcfefd3c33750e1bff742d14ff6099a
SHA1b6bfd5eb4d3969e8582ddaf2de7418d15a177886
SHA256a1e163a3e97afa30e13d5f2764da73ffb50298e8ac1fa21873db9092152747a2
SHA51269eec220cb16b6ec055df07debee4aa181dc73eb88ab60b8a6ff59f40f4eaf4868b15449b2cd74c0bcc893e24a17c1203fc8210fc50a1db04103c5eb6f720a3b
-
C:\Users\Admin\Desktop\HGugmbSG9u.b460Filesize
489KB
MD5a46e2ce2d67309f9e0d34fc3ba82d958
SHA187853a2e33170f602226b5ee928ff4b569eabb34
SHA256a4e5de55a63ab0882ec3a11054a6a972bf3c49e415627a00b8bbc01d4002f070
SHA512d550b0bb17f1d1cbea82363d489e8e45730504d63053f350f2700544ea23527e453f155ebed690c5c73a7501c0432cc50f4edd9226c74f09a1718ce43f61b489
-
C:\Users\Admin\Desktop\JIpwMYVPdV.b460Filesize
919KB
MD5924ba3937b6579c0ec9f15b8336b80c8
SHA184b80365ea786d3b243815c1f57c4cf685f75553
SHA2566cd34200c5be286f33023a06b1fe270dccb29ca0b769d115a3373f776f6aff56
SHA512d5200920f4a7d054f553b3468e30eb4e5cc76b25643dc30eb18f88c4dc184391adc268f7dde5983483ebea4655b35b981195636d2511780de7f151f850922cdc
-
C:\Users\Admin\Desktop\PMY11gdC1Q.b460Filesize
657KB
MD563b23fa1f1fb08d6c79ea017b522e38f
SHA127711a00ef1b05883db271407758d8cae02bef77
SHA256d4ff93a8ae6eb317414ff25b33f6c088d9a957502c8b1f91d136ea05036eee8b
SHA512f8be61444737506e2b95ed213c167a3a6f5980bf5b2de0ebaba13c320eaa5710f2ea57cbff338bcb81a6abde02dcac25e0936090a77417a50619ffc99a15770c
-
C:\Users\Admin\Desktop\SWpRBPxniu.b460Filesize
394KB
MD5014f982d704fd0995377946bd2135d78
SHA10918e31072e9f6aa7b654f24d1d28a4128dfa744
SHA256bbefd392b4aabb070b7aa629511d049aa4b5ad4e0f0977646ee2f47be9337920
SHA512adf5f08adc986737415cc3cceeb2e34e1c3e9fa613af595f292bb8acfb26e55389b853d6568a8431c00329f16230c243f720bef00a29612f3bdf2f8c1e95b181
-
C:\Users\Admin\Desktop\SkiHIJDLGv.b460Filesize
895KB
MD5d57358cfbc13cbc11a87a05ac617cbc5
SHA1e921e1fd39388b6a3594b563593303e4bdd02976
SHA256f36ee3357262ccd430e7cfed9c01bdd824fce29bea23b67ec98797bd2032e134
SHA5123493ec60858989ec2efac2d11f78d6385a48543db30061cf3403b63dccdc11bc410e6e65f728cc10ee48dce30a359194ac75d5cfc7785ffd4ebb45ee3bbc00f9
-
C:\Users\Admin\Desktop\T0IvFd1cYR.b460Filesize
776KB
MD5f8767ba89b9df0fa89054c6f6e1a7c38
SHA13064ab7b880b95cf5f9850dfe1df7d72be6f0f0e
SHA256a5e2c33d1ab7bfc009163b57fd2ec1320f4ff0966eb5768daf1b1f0a710e9fcc
SHA5128418685dd380b460648c422a0e56f692a273855741c9550281a71636db519234a71cedd2bee96ce41e22d2b15efb2b5444f1d40fc3d487240def94432dbd09c1
-
C:\Users\Admin\Desktop\bBCuMLcoAy.b460Filesize
752KB
MD5e0e4e62f4ba560b687660fc8e629f6f8
SHA10f7b9dbf4bce063daa48f4b8b5fb7e8de2f7c599
SHA25648f960d5972fb46b89ccd5b5e2ec9085c73eae950a11c5845bd7a33b6f97db5c
SHA5126b0d7c1a13a84e89f6ee880ee88d7d06cfdd712aecf998c372bf2adc4dbd5936942164a970716e03cd8522c9b78b0f45243d7a59922542712a7c4e4451e721d0
-
C:\Users\Admin\Desktop\c8fMpYM7Fy.b460Filesize
1.2MB
MD587a83ffd7dc58b8f1b8243b1cda459a7
SHA1aabfecd321b4f6610a1908a09eeffee419d630a3
SHA25675fac5647a3d5565556b336d3bb3b2d945a6d7268b36a2ac7823589673b104fb
SHA512ef8ebfa2d50499bafeb2552afd1e29488f39e8d38f63915a9f4ba7067f6cec2bedfb641a1d98f20bb43017c31eca7bfa04cedfc94953c9a8e0b3b0825a32d8e8
-
C:\Users\Admin\Desktop\fCxYp5HmLg.b460Filesize
370KB
MD5b9466da1d54ddfd6a34348a1eb16b0f7
SHA1a3af25ae6f2364cc8b4ff578567c8300a57f478f
SHA25609de073c2ca2d91012bf6feca5f5db656ebabf424442a6945dbe5cb6b29d0c51
SHA5128a882a8e9d07a01ac76d2ada0c5c7c0a2fd8af149df9a65f05bd260ecb965ebc6c4109ac749de1b2c09f9e110450701c02a42506e3d555662b4ca50b44c445ec
-
C:\Users\Admin\Desktop\fQZlFxNWi3.b460Filesize
704KB
MD5102b41ab7a5c35b147473cf4717a177b
SHA12e1c6e2d1f1149c9d58be0f2670d5baded5ce0b0
SHA25688ef8243d3ffab1ac013df8f3fc2ab803a071fb7e3a3779797fd16f97d00a4d2
SHA51201ec29ca4fdd65eb380871f4b7e8c72006d6b244bc433d5cc8f7a14e8dff026f8bafb8713a512e61a11b20db5726885603c27b21688af58822ce992826223e75
-
C:\Users\Admin\Desktop\mQ8JMgas6f.b460Filesize
728KB
MD56e941d5081a9eaaf12308a0c8eb6738f
SHA1d2f348bff74d720563db06ab6f31109da809efb6
SHA256d11efb44b1ab0519fcce8c39938ab22b939e9a238348fe8e73af9a2d2278b833
SHA512d6286622b4b66d6326ac9b03790c53e7abb277df021fd9f3b92a1c0e4fcce15686121ebebda161e0d780759382e63def501429306deee748d2fe6abdd4877149
-
C:\Users\Admin\Desktop\mudQslRq7Y.b460Filesize
322KB
MD5540faa153ff41e06f794efbe21719f77
SHA1f352e1c40d1d56feb4abf04da4e9f6570bfe72f4
SHA256f922fae3ead2e4b6d31800d8973e927cf7ffd237ce6bf49f1ffe467c88a14ee8
SHA5126a7484090935ee16f656a0f2906d0d32b721fd13c8e7f33ae5333c9e873f19b64ac4972614952538106778183b723e589225dcd399fb6777db6f0f50516f9fa0
-
C:\Users\Admin\Desktop\nlN56XHaF1.b460Filesize
442KB
MD5c774405b50bf8ff130c60b1c38dad52a
SHA17c60d1ca7273346b912a0b714d5d24735da255ba
SHA256e17b9fd8d3f9c9f3f09593dbaf66a1a8dcafcc84ab1cf3ae182f0aef329574a2
SHA512b4cd18928d193108d3083a77048275b3351e5cb93f56133e98fed45a44d99552bdb67527dfdebdc44b558835ec2d0e094e5b0f9022ad24707179afbbf8aa7a5f
-
C:\Users\Admin\Desktop\pmUujceeR9.b460Filesize
609KB
MD5e81d1f1e3fd2cc1f4bbf5aadeac8060a
SHA1f3596fa04635a7616753347dc3c751a5a6bc64da
SHA256d7ac5c69952dc3f292716d162befbce4f99d9dfbd53dff7188d9677e42a59eab
SHA5129ce6c1ec36a211299a5b4eefc9a7db3f1d4d216c86835aaec22f5317464c11ad4fad2a6e272b552f04d114f9aa26b49b9d416c41b0315a6b09119191c7e6743a
-
C:\Users\Admin\Desktop\wa8jUDGe3X.b460Filesize
633KB
MD50ac54afdbbf105362612763c892ab91d
SHA12c37f3fe63b1ab5251e30ced400812a696574346
SHA256e46c93fb72168fe3cee7b777790dee1c3220b033bd9362c0e3ce12ff9d0f537f
SHA512553e75f7d8f34951662f9b9fe3d59b974467db0ce9c9d29247c07604cbce3781f4f5032e35734a6dc7bfe1e38ff6e03cebbe768916be918b0740952e111ca4f0
-
C:\Users\Admin\Downloads\NoEscape.exe.zipFilesize
13.5MB
MD5660708319a500f1865fa9d2fadfa712d
SHA1b2ae3aef17095ab26410e0f1792a379a4a2966f8
SHA256542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c
SHA51218f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517
-
C:\Users\Admin\Downloads\NoEscape.exe.zip:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Users\Admin\Downloads\Ransomware.Cerber.zipFilesize
215KB
MD55c571c69dd75c30f95fe280ca6c624e9
SHA1b0610fc5d35478c4b95c450b66d2305155776b56
SHA256416774bf62d9612d11d561d7e13203a3cbc352382a8e382ade3332e3077e096c
SHA5128e7b9a4a514506d9b8e0f50cc521f82b5816d4d9c27da65e4245e925ec74ac8f93f8fe006acbab5fcfd4970573b11d7ea049cc79fb14ad12a3ab6383a1c200b2
-
C:\Users\Admin\Downloads\Ransomware.Cerber.zip:Zone.IdentifierFilesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
C:\Users\Public\Desktop\ဆ⺱⺓⤢ࢶ᧥⢐┗ፌ᫋∠ゃᬱ➩ラ⾜ډ⏝ゅ␙⾫⥩⌠Filesize
666B
MD5e49f0a8effa6380b4518a8064f6d240b
SHA1ba62ffe370e186b7f980922067ac68613521bd51
SHA2568dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13
SHA512de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4
-
\??\pipe\LOCAL\crashpad_5048_RQFWPWZIPWGFJSDYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2876-717-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2876-684-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2876-1116-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2876-1149-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3612-1756-0x0000000000400000-0x00000000005CC000-memory.dmpFilesize
1.8MB
-
memory/3612-1557-0x0000000000400000-0x00000000005CC000-memory.dmpFilesize
1.8MB
-
memory/4700-712-0x0000000000440000-0x0000000000451000-memory.dmpFilesize
68KB