Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 21:54
Static task
static1
Behavioral task
behavioral1
Sample
sigmahacks0.2.exe.i64
Resource
win10v2004-20240508-en
General
-
Target
sigmahacks0.2.exe.i64
-
Size
64KB
-
MD5
ff001a4805bf038de8353ba101de60bb
-
SHA1
b21a51bc6b012973ea6c55bc4a3afff132991a5d
-
SHA256
96c84d6c367ac7f3ac3103c89b847536fef95778542d3231b14a99ab6e3725cb
-
SHA512
964338a49cae369727d2c2f7e7187ef10e2642871730c6f671b05364cc253967138eaf4e005ec63dac8946e4acba7469343b21fc1f1f57c90344959f47bac23f
-
SSDEEP
384:+ncwXM1vKOXM1vzxodEpV7ilAvZjl8VGlPPIOEPPPiPYnreqmdPPPSnh:+ncwXbOXyodOUYHOn2Hqn
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___SEDBQQ2_.txt
cerber
http://p27dokhpz2n7nvgr.onion/97DC-9ED9-ACDA-0446-9818
http://p27dokhpz2n7nvgr.12hygy.top/97DC-9ED9-ACDA-0446-9818
http://p27dokhpz2n7nvgr.14ewqv.top/97DC-9ED9-ACDA-0446-9818
http://p27dokhpz2n7nvgr.14vvrc.top/97DC-9ED9-ACDA-0446-9818
http://p27dokhpz2n7nvgr.129p1t.top/97DC-9ED9-ACDA-0446-9818
http://p27dokhpz2n7nvgr.1apgrn.top/97DC-9ED9-ACDA-0446-9818
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___BOEIFFM_.hta
cerber
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (1122) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 3924 netsh.exe 2480 netsh.exe -
Drops startup file 1 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ cerber.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 38 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint cerber.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
cerber.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp5819.bmp" cerber.exe -
Drops file in Program Files directory 20 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\program files (x86)\excel cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\outlook cerber.exe File opened for modification \??\c:\program files (x86)\office cerber.exe File opened for modification \??\c:\program files (x86)\onenote cerber.exe File opened for modification \??\c:\program files (x86)\outlook cerber.exe File opened for modification \??\c:\program files\ cerber.exe File opened for modification \??\c:\program files (x86)\ cerber.exe File opened for modification \??\c:\program files (x86)\thunderbird cerber.exe File opened for modification \??\c:\program files (x86)\word cerber.exe File opened for modification \??\c:\program files (x86)\steam cerber.exe File opened for modification \??\c:\program files (x86)\the bat! cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\onenote cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\powerpoint cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\word cerber.exe File opened for modification \??\c:\program files (x86)\microsoft sql server cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\office cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\excel cerber.exe File opened for modification \??\c:\program files (x86)\bitcoin cerber.exe File opened for modification \??\c:\program files (x86)\powerpoint cerber.exe -
Drops file in Windows directory 64 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\ cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word cerber.exe File opened for modification C:\Windows\SysWOW64 cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\steam cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\steam cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word cerber.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608020733484798" chrome.exe -
Modifies registry class 5 IoCs
Processes:
OpenWith.exechrome.exeOpenWith.execerber.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cerber.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4884 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
chrome.exechrome.exepid process 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 1280 chrome.exe 1280 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
chrome.exepid process 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe Token: SeShutdownPrivilege 2576 chrome.exe Token: SeCreatePagefilePrivilege 2576 chrome.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
Processes:
chrome.exepid process 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe 2576 chrome.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
OpenWith.exeOpenWith.exepid process 2596 OpenWith.exe 4416 OpenWith.exe 4416 OpenWith.exe 4416 OpenWith.exe 4416 OpenWith.exe 4416 OpenWith.exe 4416 OpenWith.exe 4416 OpenWith.exe 4416 OpenWith.exe 4416 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 2576 wrote to memory of 5104 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 5104 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 3672 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 232 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 232 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe PID 2576 wrote to memory of 4936 2576 chrome.exe chrome.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\sigmahacks0.2.exe.i641⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa84b0ab58,0x7ffa84b0ab68,0x7ffa84b0ab782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4324 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4156 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4956 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5076 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4068 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4296 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3332 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2640 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3056 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3160 --field-trial-handle=1932,i,6980592273367469131,7918802885147353458,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Cerber.zip\cerber.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Cerber.zip\cerber.exe"1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___65AG_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___HM18A_.txt2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5ee73f402bce79bffa75943cab58740e1
SHA1f3cef191a95e116d010e9891d25e99801735b297
SHA256c82f2285792343f2f073031e85075785c933019220c4a8f84827e87907cce316
SHA5128c2e871d038cb083a1631f174efcfe098661feae77aee697caef58abdb626c04e85900e3256c6e8916a4d88634640ecde5a620cd64541f15d2ecc3f8e4521c7f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1Filesize
264KB
MD501fdbac6920416919a4e5a232ec3aaa9
SHA144a59ea51eb3c50cdfa7b10fbde3daaab0225111
SHA256238b24d50effa0ebb2cef88ad48357d4f0e44670c6e8326cf7bda3c113c81f8c
SHA512163d47bd40b01ddcab713a2715b9566b40cc1930abff96c150642f5c0ac082eba1a1104080f48891677a1c25d9b56a26453cb6b586add98a62ce8d26e0d13754
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD5540ed1719b5a1fcaac0541c757015077
SHA160d68e4c476e1f2bfc52f0b4c62d53375c56fe67
SHA256ed02ff7bfc3f634361616053da448310e5c7a15e09db1570aa5346873892c996
SHA51286e56644fcfe61746427d03b42e22c87d8952a9f50e481ae1df3e6a53d377904618f848d47ba04e66f51b5ed42e550270a395fff861116e04e6944c7658c473c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
3KB
MD599690de321a99836d27adab98133f989
SHA1aa578914d9afe81b00ca04ac5db97c44c42571bd
SHA25628d08bd18617432bf2a1679d29bebd8b02126a6f143f7b0fdc59f3f8074441f3
SHA512a43566cef694814e716d138ea18ac779e861dae43c4c1d3ccff687f351760d8d163c2fdf3cab1d4c37b3e07dd5f0448a3fb1a6bec2a1dd6bd15d7dbf1403a80c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD5e1c0f794711116d1c7a2f4df8afac461
SHA1975eb3f1e9acddbe330223b36a0690a2f0ceeca4
SHA2561f6ee21fd4b2faa1f7a68e6832c0a1ad358eb3f30c427e1d48a195358fbf6ead
SHA512179814a8899c0ff2d5f4ef0fd4759e237464943414e40cd90bf1dd575dd1b551a21f291b03d0d06b2f09df8ba49ffec1f31919b95e18b951367b24ca9cd2a7eb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD5ed91981cb29111658c161c7632139c4f
SHA10c9dbfc81bd7a17f5c08608def7e8248af1cd5f8
SHA256ce9f9020599799d048fff28a46fe27674117f5751b73d6881145ed6ee2b5052c
SHA51261b0736f2f0f98f881824aaf2c352717e0771705516296930e831c3519c93b6130bff0227ebf9959cd84c454fe6405cba7e109d2182552e29c974e14e73e328f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD5d84aaae6d2869f95c373abb53fe71e78
SHA1f7eb43349ca608507c76dcd4b85086627e1fd965
SHA25622089b8638a7b2a5cd27860cda78e7c0d9c8f4dc15ada021318479201ca70265
SHA512b8a214d3daa001f09d3bf41ff7222e78d1e40dbb30906058a1c575240ba3858e653dc15ff54cf09d15721ed9a548729446cbb486ba0c1b15d42e2d6cf8366cc8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD568c1ecdb7901fef80d096eb828310770
SHA19c164d1bb45a97b69d842911b0795b19830d222e
SHA256bad324962d21706a5cf63cae170a4cbaddd6b5e49ba4b8de875ce3c2521ffcc0
SHA512d6566688de15c64cf4823bf4bf42ba4fee56c69ae35819a83b9cc9348478c072c80a12c51b8a9e40574735e0f43bcc34d313a8cd804cbc0902730f0c3a38d8b9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5c558f3163044e9652e2d293566823f86
SHA13051f9cbc27bff11fe728f8f24ddf1fa80c1af59
SHA2568816a57c1bff0c06acc0744a3dd3cf5fbb2d3af37d3940ac1d5cca64940f9cef
SHA5122ddd851cb79d5e494022ef761d405ae269dc467bb006e06b1e099435ca79e638fc6d10927c595538df62f4350a7e8d8810977ada690be6cef72cd2c6e3964b6d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD528c6007c84be51f23aa8255088409856
SHA1498102f49797962888701cf0728db8594b1bae43
SHA256d0c025551fa7216a69c1026f8be8612e15c4df7adfcc986f66d9cba33ade05ed
SHA5123651ba51861a5412437ed679066c4c617c662ffe8141da95a93969f6fec5b96750a0bd3d4d84e887698222238e6bf4545ced52b2f6bd15c98a11e57226fad793
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5dd5cf50160b6677d473c0b183857aa43
SHA16840a922d876c790df0f58f8437769a44c111375
SHA2566e06416ebc8273f422f6dd062bd8450ebdc625a1bf604735d2015fe565ff03ef
SHA512e0a1143476b4e408a45f14b6a154034103e8f0ca011d109f958517daacac2cd78f1f7892c7a0aecd3fef08529b2ebb80b5c1bd264e8e8bad81d04f5ecaddfc32
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD575aa3edab9d23f8a7e6367c68547fd5e
SHA1de4313dde6d17368984b42aa9ae8fe052cce4b83
SHA25662daf581c79fd17fb91cf8a95d822fdcc18335b33ad1a760f6a45489fc691f2b
SHA51282b112c4913be5e5340d3d83d12eec67f7da77170f740b39bde6b5d47ebed19a45b67e27e609e487be4aded9fac81fa297dff6a9a792a442716062e7d1a905d5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD539c71701101cc1b5c393cbdd3258452f
SHA196c9ea260e4c3042ef45d5105900410e92bfb4ce
SHA256cc5430f9488c2d10c39387cb68312fc181b68d337587f6178ed953b037b1dee2
SHA5125939c726a1daddcfb33c827dc2f7220347df580bf5fa21a3ff155b469e909d23d6baf8055420a69cc6077f5f174583ff4399d20d913973cd9c9533a3879e2085
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD556a15ea801c35d9b4a7c11c5619c2646
SHA1f937f48d176c7ec2012a0bb7f9e882aaa1009315
SHA256cdcaabccf08bcd87a4762f00a853990ae152121420fcc7a746a507b210b04707
SHA5121d59797abb79715da49066fb8e3df7e7193affb7ee823653c4ebf27eaf037ce5943a865a56898b63469f2b7e4d7566e66d70d529ceb1134d47ef3f9cd7bc3101
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD5f066328395012937058a5e0a78143458
SHA15197b10c4a783fb5873d86250cf02ee243fed60e
SHA256a6b993eace0bcc03b781cb68b7a6f73c370adc0c22c51b7f8bbbccee910ed5fa
SHA5129e5daa5b5f17ac685f7bba891c949a5181c994d0c0cb32aaf6a03e54d6287e05eaeebbb792a05fc5bb61b4a86470393297ded8d07e0024022735855e9ee22a6a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
261KB
MD5f1ec19eb0a3d749c42d257d6e82e7eb0
SHA1a73c746138f9381e1e62ced65c14a429eb00ef60
SHA25647718f004d5e1489428de13b7d25effbded61be4f85e8e2931a8e9feebb56de5
SHA512d960d1cc34e2da2c418c65d93ad706eade7137f2007f4c6e1f4bf75119271bcf74bf177712b9e5672f45f64043c4540bee5eb735addad959dc4a4aa58fb18507
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
261KB
MD53b3a405fe571848627c35d66393f3eb9
SHA10798afbb15902aa085fba9bff5663b586443d22a
SHA25612f0cc540a02a23842573c3cb2140005097c96678ed5147d2b109795609ccfad
SHA512d879c26762b8cc2a81007b4fc968e830c4a6db53fdb9c99bd217376b41a861d79400e27dc312ae5d1837e521048bf495d422af8419ddb82b4896f60e4dec740b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
281KB
MD5444a75b9adae318394404458df90f7df
SHA1415e498ab0687fc0461866aea0a152ea12cda28e
SHA2562d24bdb6e2f48776289ed66a85887077de79ba2593fa4075afa139963193cf7d
SHA5126d757f3a4394064b8c08c67307ad1c1a3c039af902234673814c49dc9041f9b289c00ada421a4d91f419fd8c21767ca4efff7ec2999397e70d559cfe5097ce92
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
257KB
MD5de606f2b777c400cbfa8ea10dce2faaf
SHA1ccd27cb51e46f47406ad0f76e5029a8bba297937
SHA256f379a136b2fbc1769f81eafd1465ebd1f93089762df358f9489a8fece4b63e49
SHA5124a55f1d31044d9bd8adc356895af99dc2b5f252a6448016cc40377d09d87d81bd2aa45ea419b89057256aa9e3cab58e80b10ef27cc0da226f4526f33693b0d7b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
261KB
MD56bf13d87ed7fedbe7339b1f67ae85d78
SHA12ab6eecfda0cfd4b11ad756c4f4502875b6788f5
SHA2569d30d7f42a098a24c714f83cf890c17e9625cf8ce8190526b4a03ba6e0b01837
SHA512681c24c78b2fd0167d7c64fb7b4e7924ef548c7245eb708c3618355d64bc50910d1544f55e0f308281ba3d4af707e076797c00951c7cc2a05d4d137d205e5803
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
272KB
MD58f29ba88746829208032fc475ec247da
SHA1d9b3946c1734d348e4a890d24563fc8652585dbc
SHA256a84798c03932e26dc761929c995c1a830994fa0994b5f5ea9f7e3d6d9cc257c1
SHA5126633e12a85c7f53935bec4c81490e709c7df334ec7d08b1cc0710e271654bb05c85e4630293e9cec906339e1617eec3b934b538259dc6d41b611ecf2603c7382
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
91KB
MD561413c051a8d74f4452a9327be9aefea
SHA17adf278a48249ad70122c9503ce51b5a3265a256
SHA2563af44ef2980c56963945c43365ed239036fd72069b63dd482723d2692b765e72
SHA512e2fdcdf3a5911c51807acfaa79d4ecc32b2c709a9b43deeddd0563e4b97db4a58a3f861e4e403a5becd0c487df271de49bfd7a4e4b3a357201252c951531ed14
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
100KB
MD5bfca4ac06e3e24196cf9ae1e0bee8dd3
SHA1d61752ca0031fed53013a27811da3180f4b4459e
SHA2561a179e866b3d4c898b7be94af8859981c4ca73b58763d9fd48b26ed529812a74
SHA512e04bdbd0f8e6c17e19595661edb66018d47873c9bc469e7b1c8f53da2e2bba1e7a95e076005f8ead29b6299ff1153f15b179f2be3d20e1857cab3140e8fa4e95
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f8e7.TMPFilesize
88KB
MD574b6c5072bb19aabc934d8b96d9d2672
SHA1ca4e1ebd27af419bd987f44cd7a8edfd5c1abe96
SHA256cdf6cdbecabc2f906a92128c8ba6309f6c3bcafb5cfa052ae25b99288aa82159
SHA512c71f085c5b6eb86229826bb969fabb45220260c93aa586700df1fc0b75abd85990698b87726ad9466e360f5c8081b0b4b588bef62b3da383b18499b210714328
-
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___BOEIFFM_.htaFilesize
75KB
MD5218e104ae708218147e3bc1781dbf373
SHA121f6a15853c2cd766a219e36576a7e190fcef184
SHA2565e219da49cce13a37a620eeaf85a1793fda45e828a7d28af5110c98ef8a508e5
SHA51260a82bb63751f732e9d2debb94134a559efa8850db02208fc6f5e3e336015ac5c592f0b3be7e90de536b282bcc1a4243a0c579ca6940725b3c40cf89f9411382
-
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___SEDBQQ2_.txtFilesize
1KB
MD52c1fd7cad6bacf7d2017f7026d393d48
SHA154c5802aadde0ef162e4be5f3187f43ed0de0357
SHA256b06eb6df0817cfd9d2da564608736f5c9488dedb38b7e59d381b15d43928273c
SHA512e9be47a1b409fc94b133cc8fbf1c18ac5c6a761690eada7c3efa4a6009695f9201fb23d7db0435df2282937cb49d5c388e1204a93cad48a0bb90e42dbfc315c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
28KB
MD5f8ff5f3fa2f7cd9ddaa3fd8d97c0aaf5
SHA144553d71e9b8ad15e6fe199afed8b3b29e728ec2
SHA25647333b10d35f07bc49b413de2e6dcfbf0226553cafebfd2959e44aa1435b5d1a
SHA5129cfb4f4b90a72e0b24fa3b3374481d454e8ea3334ca2cac486a43b19bed15dfadc1fa9d267373ad453a0717df271c78196c2e84a1609c3c6f944e7e842a80275
-
C:\Users\Admin\Downloads\Ransomware-Samples-main.zip.crdownloadFilesize
15.1MB
MD5e88a0140466c45348c7b482bb3e103df
SHA1c59741da45f77ed2350c72055c7b3d96afd4bfc1
SHA256bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7
SHA5122dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431
-
\??\pipe\crashpad_2576_GCROWZRSXVCWMFJZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3952-410-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3952-406-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3952-403-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3952-859-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB