Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 16:52
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe
-
Size
207KB
-
MD5
ca78d1193cae9708942d3a1266947b3e
-
SHA1
63d6f8ddc1dd9eab848cd71ce60d9ba9b3bd733e
-
SHA256
ca3282264b6fb5a3aae171d76a8a27ad1e121e0b3dd682eb4d2e8ff03e2ace57
-
SHA512
f6f39fb4d9ba81cc892c0de665e3d0d3b285f7b5cbea1bdb78ca21eb86dfa05a0c2ac93fc3ab985ee45cd15883d0347bb61615436e3a58f998106e7751784437
-
SSDEEP
6144:634clT8CJLtVXW+BPGaDEoP/Siazel15:s4uT8CJpVm+BuaDj/Sps
Malware Config
Extracted
C:\Users\Admin\Documents\OneNote Notebooks\# DECRYPT MY FILES #.html
Extracted
C:\Users\Admin\Documents\OneNote Notebooks\# DECRYPT MY FILES #.txt
http://bqyjebfh25oellur.onion.to/7465-210B-ED37-0046-1237
http://bqyjebfh25oellur.onion.cab/7465-210B-ED37-0046-1237
http://bqyjebfh25oellur.onion.nu/7465-210B-ED37-0046-1237
http://bqyjebfh25oellur.onion.link/7465-210B-ED37-0046-1237
http://bqyjebfh25oellur.tor2web.org/7465-210B-ED37-0046-1237
http://bqyjebfh25oellur.onion/7465-210B-ED37-0046-1237
Signatures
-
Cerber 2 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
Processes:
2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exeopenfiles.exedescription ioc process Mutant opened shell.{5571000E-68A7-AC8F-96B0-663B774A1FD5} 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe Mutant created shell.{5571000E-68A7-AC8F-96B0-663B774A1FD5} openfiles.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
openfiles.exe2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" openfiles.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2332 bcdedit.exe 3184 bcdedit.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exeopenfiles.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\openfiles.exe\"" 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\openfiles.exe\"" openfiles.exe -
Contacts a large (533) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
openfiles.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation openfiles.exe -
Drops startup file 2 IoCs
Processes:
2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exeopenfiles.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\openfiles.lnk 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\openfiles.lnk openfiles.exe -
Executes dropped EXE 1 IoCs
Processes:
openfiles.exepid process 4468 openfiles.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exeopenfiles.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\openfiles = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\openfiles.exe\"" 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\openfiles = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\openfiles.exe\"" 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\openfiles = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\openfiles.exe\"" openfiles.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\openfiles = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\openfiles.exe\"" openfiles.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
openfiles.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp6359.bmp" openfiles.exe -
Drops file in Program Files directory 16 IoCs
Processes:
openfiles.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\PLANNERS.ONE openfiles.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.html openfiles.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.vbs openfiles.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BUSINESS.ONE openfiles.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\ACADEMIC.ONE openfiles.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\# DECRYPT MY FILES #.html openfiles.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-manifest.ini openfiles.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.txt openfiles.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\DESIGNER.ONE openfiles.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-PipelineConfig.xml openfiles.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BLANK.ONE openfiles.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\# DECRYPT MY FILES #.url openfiles.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\# DECRYPT MY FILES #.vbs openfiles.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.ini openfiles.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.url openfiles.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\# DECRYPT MY FILES #.txt openfiles.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4248 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 4388 taskkill.exe 1404 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
openfiles.exe2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\openfiles.exe\"" openfiles.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\\openfiles.exe\"" 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop openfiles.exe -
Modifies registry class 1 IoCs
Processes:
openfiles.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings openfiles.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
openfiles.exepid process 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe 4468 openfiles.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exetaskkill.exeopenfiles.exevssvc.exewmic.exetaskkill.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 4500 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe Token: SeDebugPrivilege 4388 taskkill.exe Token: SeDebugPrivilege 4468 openfiles.exe Token: SeBackupPrivilege 1976 vssvc.exe Token: SeRestorePrivilege 1976 vssvc.exe Token: SeAuditPrivilege 1976 vssvc.exe Token: SeIncreaseQuotaPrivilege 1872 wmic.exe Token: SeSecurityPrivilege 1872 wmic.exe Token: SeTakeOwnershipPrivilege 1872 wmic.exe Token: SeLoadDriverPrivilege 1872 wmic.exe Token: SeSystemProfilePrivilege 1872 wmic.exe Token: SeSystemtimePrivilege 1872 wmic.exe Token: SeProfSingleProcessPrivilege 1872 wmic.exe Token: SeIncBasePriorityPrivilege 1872 wmic.exe Token: SeCreatePagefilePrivilege 1872 wmic.exe Token: SeBackupPrivilege 1872 wmic.exe Token: SeRestorePrivilege 1872 wmic.exe Token: SeShutdownPrivilege 1872 wmic.exe Token: SeDebugPrivilege 1872 wmic.exe Token: SeSystemEnvironmentPrivilege 1872 wmic.exe Token: SeRemoteShutdownPrivilege 1872 wmic.exe Token: SeUndockPrivilege 1872 wmic.exe Token: SeManageVolumePrivilege 1872 wmic.exe Token: 33 1872 wmic.exe Token: 34 1872 wmic.exe Token: 35 1872 wmic.exe Token: 36 1872 wmic.exe Token: SeIncreaseQuotaPrivilege 1872 wmic.exe Token: SeSecurityPrivilege 1872 wmic.exe Token: SeTakeOwnershipPrivilege 1872 wmic.exe Token: SeLoadDriverPrivilege 1872 wmic.exe Token: SeSystemProfilePrivilege 1872 wmic.exe Token: SeSystemtimePrivilege 1872 wmic.exe Token: SeProfSingleProcessPrivilege 1872 wmic.exe Token: SeIncBasePriorityPrivilege 1872 wmic.exe Token: SeCreatePagefilePrivilege 1872 wmic.exe Token: SeBackupPrivilege 1872 wmic.exe Token: SeRestorePrivilege 1872 wmic.exe Token: SeShutdownPrivilege 1872 wmic.exe Token: SeDebugPrivilege 1872 wmic.exe Token: SeSystemEnvironmentPrivilege 1872 wmic.exe Token: SeRemoteShutdownPrivilege 1872 wmic.exe Token: SeUndockPrivilege 1872 wmic.exe Token: SeManageVolumePrivilege 1872 wmic.exe Token: 33 1872 wmic.exe Token: 34 1872 wmic.exe Token: 35 1872 wmic.exe Token: 36 1872 wmic.exe Token: SeDebugPrivilege 1404 taskkill.exe Token: 33 3200 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3200 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe 888 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.execmd.exeopenfiles.exemsedge.exemsedge.exedescription pid process target process PID 4500 wrote to memory of 4468 4500 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe openfiles.exe PID 4500 wrote to memory of 4468 4500 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe openfiles.exe PID 4500 wrote to memory of 4468 4500 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe openfiles.exe PID 4500 wrote to memory of 1132 4500 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe cmd.exe PID 4500 wrote to memory of 1132 4500 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe cmd.exe PID 4500 wrote to memory of 1132 4500 2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe cmd.exe PID 1132 wrote to memory of 4388 1132 cmd.exe taskkill.exe PID 1132 wrote to memory of 4388 1132 cmd.exe taskkill.exe PID 1132 wrote to memory of 4388 1132 cmd.exe taskkill.exe PID 1132 wrote to memory of 3588 1132 cmd.exe PING.EXE PID 1132 wrote to memory of 3588 1132 cmd.exe PING.EXE PID 1132 wrote to memory of 3588 1132 cmd.exe PING.EXE PID 4468 wrote to memory of 4248 4468 openfiles.exe vssadmin.exe PID 4468 wrote to memory of 4248 4468 openfiles.exe vssadmin.exe PID 4468 wrote to memory of 1872 4468 openfiles.exe wmic.exe PID 4468 wrote to memory of 1872 4468 openfiles.exe wmic.exe PID 4468 wrote to memory of 2332 4468 openfiles.exe bcdedit.exe PID 4468 wrote to memory of 2332 4468 openfiles.exe bcdedit.exe PID 4468 wrote to memory of 3184 4468 openfiles.exe bcdedit.exe PID 4468 wrote to memory of 3184 4468 openfiles.exe bcdedit.exe PID 4468 wrote to memory of 888 4468 openfiles.exe msedge.exe PID 4468 wrote to memory of 888 4468 openfiles.exe msedge.exe PID 888 wrote to memory of 4280 888 msedge.exe msedge.exe PID 888 wrote to memory of 4280 888 msedge.exe msedge.exe PID 4468 wrote to memory of 3796 4468 openfiles.exe NOTEPAD.EXE PID 4468 wrote to memory of 3796 4468 openfiles.exe NOTEPAD.EXE PID 4468 wrote to memory of 3120 4468 openfiles.exe msedge.exe PID 4468 wrote to memory of 3120 4468 openfiles.exe msedge.exe PID 3120 wrote to memory of 3644 3120 msedge.exe msedge.exe PID 3120 wrote to memory of 3644 3120 msedge.exe msedge.exe PID 4468 wrote to memory of 4576 4468 openfiles.exe WScript.exe PID 4468 wrote to memory of 4576 4468 openfiles.exe WScript.exe PID 4468 wrote to memory of 3872 4468 openfiles.exe cmd.exe PID 4468 wrote to memory of 3872 4468 openfiles.exe cmd.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe PID 888 wrote to memory of 5032 888 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe"1⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\openfiles.exe"C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\openfiles.exe"2⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd83a446f8,0x7ffd83a44708,0x7ffd83a447184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,15761227380570410986,4371747741501860682,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,15761227380570410986,4371747741501860682,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,15761227380570410986,4371747741501860682,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15761227380570410986,4371747741501860682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15761227380570410986,4371747741501860682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15761227380570410986,4371747741501860682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15761227380570410986,4371747741501860682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15761227380570410986,4371747741501860682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,15761227380570410986,4371747741501860682,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,15761227380570410986,4371747741501860682,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15761227380570410986,4371747741501860682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15761227380570410986,4371747741501860682,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15761227380570410986,4371747741501860682,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15761227380570410986,4371747741501860682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15761227380570410986,4371747741501860682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2244 /prefetch:14⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://bqyjebfh25oellur.onion.to/7465-210B-ED37-0046-1237?auto3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd83a446f8,0x7ffd83a44708,0x7ffd83a447184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1448,16561236815855737244,4012982818151082117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:34⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /f /im "openfiles.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\openfiles.exe" > NUL3⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im "openfiles.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /f /im "2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "2024-05-24_ca78d1193cae9708942d3a1266947b3e_cerber.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x518 0x2c81⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Indicator Removal
2File Deletion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ecdc2754d7d2ae862272153aa9b9ca6e
SHA1c19bed1c6e1c998b9fa93298639ad7961339147d
SHA256a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7
SHA512cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD52daa93382bba07cbc40af372d30ec576
SHA1c5e709dc3e2e4df2ff841fbde3e30170e7428a94
SHA2561826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30
SHA51265635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a2f0d94938bfa36190ea3cf593b764a1
SHA18b8861f6764d52f5819ec2163df6955c576ccb4f
SHA25650d8af3714d1f0e7f769b753e09dbc64a736b130088ee2e184866451b23898bc
SHA512e8bddf844e063a449abdb25d5cfd5aa85083aa12034ee54cbabf119a2abff3dcf70c3b622fd83b5a4e30d671363349bf19e6ad61d38e481697295e547ccc0cff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD576be146a03b5a1f0759138a561db15ec
SHA14ff1246ec0d7dc242ec3f7a9b4c6e919403eb760
SHA256523e85dad72fa7b829b3e10f0ee1af02c73fefd9b8aa1d23f05475dc044717bf
SHA512e88437f00663122e5a4249c24024a8f5cfadfb4f26c667f8e61d1e0031d257650b66c5720ca52731a45696a120d88e0cf8f2a21500d16a739a312daf5ca752c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5eb3ccf70198fdb7ed0b07cecbfead2e3
SHA1f2901d9d79a510983876f0870e31718dd3622388
SHA256f6accc6c2bec1f42dd19edbe2875e02fc7f7120bacbefb11031b1453c6b17736
SHA512e2a6494abce05d7e098f7ac2d77ca4f6ddffcff132a8671daac3ca8b1b468a5c023628ea395832d7e3a06ea95b5f76b6f9e9afca1e2551219cb37f86b924fcd1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5633ef2b2303655122026cf557f3e80eb
SHA1bf8e1098a4dbc8ffc6e680ce822b1ed36eb9c6e9
SHA256d47b090d67ab3e46dad0f423462aeb68f09a81c3b461986918c261d7c37e197d
SHA51216743bd666505b0553e12f53ca826d099dfb4ed8e638ee27c306f470c6f4815fa5944d97af010ca3a30e28e58ed23221259797804ed4512c8b718d1462dcbbb6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y19NSK22\json[1].jsonFilesize
297B
MD5bd0c2d8e6b0fe0de4a3869c02ee43a85
SHA121d8cca90ea489f88c2953156e6c3dec6945388b
SHA2563a3e433f615f99529721ee766ad453b75d73fe213cb1ab74ccbb4c0e32dcd533
SHA512496b1285f1e78d50dd79b05fa2cbf4a0b655bb3e4515646be3a7c7cdf85d7db6ab35577aa1e294f3d515d707ca341652b5ae9d4b22197e4480226ef8440294b6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\openfiles.lnkFilesize
1KB
MD5883a12df36521ee948245c29f77b8a58
SHA1b42baff14814638821cdf2e665243013ef4c25a3
SHA2564fc3ad8445fa4788215c470da1d5e12fe49b57ee61a1eed6bae3e2c94f676780
SHA512c5a02e43a19f3b531103d36576c7db9696c7b2e37ea958d6f46da00fdf77f47e71d8dc3715c422ae67aedf85c692ddced85fd5c11deb2cdfc0d09b1ea7bc2bd9
-
C:\Users\Admin\AppData\Roaming\{D7C5F711-6E4C-D772-9749-829CD9653CCF}\openfiles.exeFilesize
207KB
MD5ca78d1193cae9708942d3a1266947b3e
SHA163d6f8ddc1dd9eab848cd71ce60d9ba9b3bd733e
SHA256ca3282264b6fb5a3aae171d76a8a27ad1e121e0b3dd682eb4d2e8ff03e2ace57
SHA512f6f39fb4d9ba81cc892c0de665e3d0d3b285f7b5cbea1bdb78ca21eb86dfa05a0c2ac93fc3ab985ee45cd15883d0347bb61615436e3a58f998106e7751784437
-
C:\Users\Admin\Documents\OneNote Notebooks\# DECRYPT MY FILES #.htmlFilesize
19KB
MD53417399b77b533cfc4f16b56d7a1a090
SHA1bcecadd0a021c006d565361734e58ee74a90af52
SHA256ceec67a825831add725074ab6d7a90b4eaf596615238c9acc713168db8717a0b
SHA5129e58c456d0db62b644e41b2c5053e8752676a417605ca364413d59521a5e7420281ad6e8e3fb1141ed0cb82693c3e9cf61d9733b5eefab046b873f3ba32eec4b
-
C:\Users\Admin\Documents\OneNote Notebooks\# DECRYPT MY FILES #.txtFilesize
10KB
MD5fa8a4a630808fda6ee06cd92d6b6ecbf
SHA13c59993ba94bd4315dffef6aa6571bc0053b3a29
SHA256837bb2240d20640c3232e5e771ef1766ff463783733bbabdd860a3e91666a02e
SHA512fda46c8e5d2d3230e339fcbfdccdc36019887993a0c6b78a6e19aaa996e043c2ff602e24eefda8af75082a1c83add196ab3caa249799b96d2303803bf799fcee
-
C:\Users\Admin\Documents\OneNote Notebooks\# DECRYPT MY FILES #.urlFilesize
88B
MD5551c188141f0cd596ae6f974c6668f3d
SHA1a66e520faf65b258952b14c92c391f5a4bf4de23
SHA25661498a189cbe1bd556998dff15861091636a02216a18675a1b039fc18fd129d6
SHA51264b3e696a2b30a2c32319cbedf570b90c91ab38776cf1cb832f1f66c9b239e47a019992f9d736658029282b926d9f62f6945e9d14a2996dbfc1dc9cd8a936807
-
C:\Users\Admin\Documents\OneNote Notebooks\# DECRYPT MY FILES #.vbsFilesize
252B
MD518d46f5d8ebd3c7d6df0c7a8fd1bd64d
SHA1aeb8407457434aabce2a4c2f95fe305c5303f929
SHA256ceb35b75d397b07c84dfab3a28189e9431bdf80ec99ab65f9ccf01986bd4a8e9
SHA51235fc759be0dee77eb9e39350873c24d9693cf6f370f171814e2ce6250ea814fea8a0887442ebae9077d6e9ff81ae7034faa0afcb080401a7d4ac384d2ba42d65
-
\??\pipe\LOCAL\crashpad_888_SQFNNLHUWZXAKTMHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e