Analysis
-
max time kernel
228s -
max time network
229s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
01-02-2024 13:57
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo
Resource
win10-20231215-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (434) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Drops startup file 5 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe -
Executes dropped EXE 2 IoCs
Processes:
CoronaVirus.exechrome.exepid process 5660 CoronaVirus.exe 12012 chrome.exe -
Loads dropped DLL 2 IoCs
Processes:
chrome.exepid process 12012 chrome.exe 12012 chrome.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
CoronaVirus.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1364394410-760759377-2797241167-1000\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1364394410-760759377-2797241167-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini CoronaVirus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe File created C:\Windows\System32\Info.hta CoronaVirus.exe -
Drops file in Program Files directory 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\THMBNAIL.PNG.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-oob.xrm-ms.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.874.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\ui-strings.js.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwnumbered.dotx.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OSFPROXY.DLL CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\bg6_thumb.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsMedTile.scale-125.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.ICO.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_EN.LEX CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\ui-strings.js.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Mozilla Firefox\precomplete.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ppd.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\QuizShow.potx.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-200.png CoronaVirus.exe File created C:\Program Files\7-Zip\Lang\es.txt.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\main.css.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\el_get.svg.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Java\jre-1.8\lib\jfr\default.jfc.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-200.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-oob.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-string-l1-1-0.dll CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\ui-strings.js.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\jpeg_fx.md.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\af_60x42.png CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansDemiBold.ttf.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\LargeTile.scale-125.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left.gif.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-150.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-150_contrast-black.png CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\msipc.dll.mui.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\ui-strings.js.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\3px.png CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.smile.small.scale-200.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-400.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations.png.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\example_icons2x.png.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\mask\1s.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\1d.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Skull.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\RHP_icons.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\it-it\ui-strings.js CoronaVirus.exe File created C:\Program Files\7-Zip\Lang\hi.txt.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms.id-4CA00480.[coronavirus@qq.com].ncov CoronaVirus.exe -
Drops file in Windows directory 6 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 8844 vssadmin.exe 11056 vssadmin.exe -
Processes:
browser_broker.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133512709628306000" chrome.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "1370" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1778a8ea1955da01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "132" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "412959423" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\Total\ = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = dd0e71f01955da01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "1418" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 6b0d17f21955da01 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 80f380181a55da01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DomStorageState\EdpState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\MrtCache MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 957865051a55da01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\bing.com\NumberOfSubdomain = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "1418" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft MicrosoftEdge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exeCoronaVirus.exepid process 2808 chrome.exe 2808 chrome.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe 5660 CoronaVirus.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
MicrosoftEdgeCP.exepid process 1112 MicrosoftEdgeCP.exe 1112 MicrosoftEdgeCP.exe 1112 MicrosoftEdgeCP.exe 1112 MicrosoftEdgeCP.exe 1112 MicrosoftEdgeCP.exe 1112 MicrosoftEdgeCP.exe 1112 MicrosoftEdgeCP.exe 1112 MicrosoftEdgeCP.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
chrome.exepid process 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
MicrosoftEdgeCP.exechrome.exedescription pid process Token: SeDebugPrivilege 4172 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4172 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4172 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4172 MicrosoftEdgeCP.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeCreatePagefilePrivilege 2808 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
chrome.exepid process 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exepid process 4116 MicrosoftEdge.exe 1112 MicrosoftEdgeCP.exe 4172 MicrosoftEdgeCP.exe 1112 MicrosoftEdgeCP.exe 2712 MicrosoftEdgeCP.exe 4116 MicrosoftEdge.exe 4116 MicrosoftEdge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
MicrosoftEdgeCP.exechrome.exedescription pid process target process PID 1112 wrote to memory of 4480 1112 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1112 wrote to memory of 4480 1112 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1112 wrote to memory of 4480 1112 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1112 wrote to memory of 4480 1112 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1112 wrote to memory of 4480 1112 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1112 wrote to memory of 4480 1112 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 2808 wrote to memory of 3872 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 3872 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 2832 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 3588 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 3588 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 5104 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 5104 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 5104 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 5104 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 5104 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 5104 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 5104 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 5104 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 5104 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 5104 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 5104 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 5104 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 5104 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 5104 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 5104 2808 chrome.exe chrome.exe PID 2808 wrote to memory of 5104 2808 chrome.exe chrome.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\LaunchWinApp.exe"C:\Windows\system32\LaunchWinApp.exe" "https://github.com/Da2dalus/The-MALWARE-Repo"1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffccc8c9758,0x7ffccc8c9768,0x7ffccc8c97782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1812 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2088 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2776 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2768 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4444 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4740 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4900 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5048 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5296 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5036 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2848 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5596 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5580 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3520 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3044 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2272 --field-trial-handle=1856,i,693510944075992760,12439177401170942622,131072 /prefetch:22⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\7-Zip\7z.dll.id-4CA00480.[coronavirus@qq.com].ncovFilesize
14KB
MD5663c44706375ef622944e7a6cfdb3569
SHA10f5b01d8a69a3bd84e99b7948b5ceafb07ade427
SHA25677b52d2586a51af278c83f8ea9758ffb4637d3a82e0ab4f8bfed6b1b7ff2325b
SHA5121e6b3e00c02f7ee7ee5e9dd71c1f5364d91028a97fea4ecffcc3ea893f427eabdb8046dc15b9cbc3e8e3b120ce391e005bd28638ba5947712b8f055f525dd27b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5d61dd344827d25f2581eac1f2731e437
SHA17f054d26dd09ad794347774c93bc80efd33d7960
SHA256a7a309fc3e48471881e7db9b7304ef5a7222555398cc2f39dab21d5aec04a8b3
SHA5125719ef059a46633af1169e65b43ff14f6ac9aed3376ef26e9890de276083fbba88d81d05e0f68168b64a4d68e3f5508cd19356d4bc9fffa350ad1cff83ba24c3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5192f49dc2e80740b41ef206a50a7d708
SHA147ea5337f3840df9049fcceaed3822dc86f565f8
SHA256d7c0b1da81be741b9e654549e44dd302816d8065b57befbcefccce275b236db2
SHA51293f459848e70f9b9eacd3570e8f37b8f7d94dc3877e7466a61aa7afe2b7d193e2cf4c12ab00df98b09f5a7ad8a0cddacfda29e451fefb0b3a10b73e5b5b78cd6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5781a41f477499185a25ce55e30345f78
SHA1e6932633f64d2dbd7f3937a225410c5929a34c74
SHA256801c72f180461db1434f4c36981aa44d7517964b082692c1a4d21d8bf77790fa
SHA512fa827ed43566710e361ba5ed64a2e92843832203add9a1e2d01a63a997c93b53eb958f71807d39f0f37c6005a7270084ae0a99bca52aff14ca90110f50663633
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5997306ef3edb738fad82464d1e113e1a
SHA1b0ae055d2ab6186e3d0024254bfa39c84b1802eb
SHA2563b392e78e5a6da0bfbb37c3f3ba5dd4e3c6dda06b5b214f143cf9e698e1fe866
SHA51274cd08a845c44998738d67c50bd092bbfdda6c2271e1472c66e78632d9095bc71c9fc8b84ea357d41ce12bae391f08e5fa57eafdd5c039591d72c2dfa0ceef8b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD5754636f1db65cead825dee792748312b
SHA1bc663bddf8a08b32aa0e98218cee36f57915fe6d
SHA256451b1e711543d8b95aab57228593475f1afda42ac57a88f9ba6d88257e202b54
SHA512897a6f53aa934dea743e21826d98181cb426f18dd4c8bdd02da492e9230094e01b1701c143fdd334aae8e5782466f867e90d192d26ca9aa229a3102c277d8bc9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD5424c8cfe44621b19271c5d0e76882812
SHA1a5a251a38519e7ae2224734e0bad7ddf0ebbc3f2
SHA2562fdbfa38727dd3787498d1d78539841e9b89bd34bca862235c03680c61e8b1cb
SHA51206bdd71b64c10c01ed97741e26be6e9f1e0daf57160e05a29dd5507c7d631517c3bd3f97ed5cf895de7b1ea9c8e75ca6a135b42daba70534edc4d120f9c83b8d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD5ecd1b57d51818d8435beeb76cf65481e
SHA14523952666db69470d2a6ad046ba6cb5bf6872cb
SHA256ae91858ec78f9ed2df09211235a5e0b1a54a150787fd03abcae9747f69c9b016
SHA512f728c707f2f94b2f20faf185e013b4a7ca0ece15b49713b3a50be7431831f9e24d5f4c57902ad726f633ceda787c9667116b4731b3a7031733cfeccf04bc8a1f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
15KB
MD5014e7334e03c3857d853e248583f355f
SHA1aa4cceac34c61158058cbb66286b66c5e842f2bd
SHA2565763d2e41964a5d524a2deb2b690fcb2c5b1113dae72d81dd43c44c4c98335ed
SHA512193f01311a74f53883469be557c8294510bcb1fe89178e6c90dce1eebf31c88d1fff714e22b671c5d0af207ed301d12c73dd9a8d29654b7f0cf3f35124574584
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
231KB
MD5d9a8dd87d75f3464e2e006051f3ffaa7
SHA17324eb7b1ec269f0e68222a3c519ad77aa657d4c
SHA2560b78b34310b535f1276b77e1d29bf20a1a455e5ff6ac5d12d60f93fbeead9c62
SHA51244cecac245880b3b98043331c174a49a9bc96e86fa95a9f69a2806c1c99ed7058fd77277eba5bcb7f41ab2487dcf071dcfe89d5faf42f161a2794749980ab6d6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
103KB
MD561020cb5f069466f909b5b31c15ab05d
SHA18ce23dec45e9fd49b0594143e8a3742f633ddebc
SHA256c6b4f4ced451f2d49990d555a4d760006439ef0d43a60cc7b086fb6d14c4ca0d
SHA5129d6099e8cdcfd40609ced6a4de051f2575f79e847b9beeae95796a647d5d53532c6350038bd511e02e41661806dd8b4eed95bbc7a78954141a80c9ddf56e185e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5990ad.TMPFilesize
93KB
MD5da5cbfbe86967d099b46ba5100069150
SHA1309842cf4a6c8c87923f81b9bc8b01133b3399ce
SHA25623d6e9568da7866698d1611dec0c3d134f719afb448c79f7a7aa7f476493d60f
SHA5127caacba80a213095994821cf4ec0481f8607952964451fad6888a8c1127991a2f3e8b47b209761b002186e53e146e65283de88a90059417d768c75df38283d38
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7MP3NYDO\edgecompatviewlist[1].xmlFilesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CZKH2CLU\warmup[2].gifFilesize
43B
MD5325472601571f31e1bf00674c368d335
SHA12daeaa8b5f19f0bc209d976c02bd6acb51b00b0a
SHA256b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
SHA512717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\0C619QA4\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\62M7WA9Y\code-20736c7b619e[1].cssFilesize
29KB
MD515db69d4b9721da2155968262787a039
SHA1e0fffc9d574972c33bd444d6072d25279d255137
SHA2563983214bd52d9afcbc224d151744f09c7c5cf0ee5f234fef1a304b4c2f3d2d37
SHA51220736c7b619e911512e5d4d998b9256987170bb078f679b044782de773fce3042fa80932d8d7926c17e15623e84717742ba01d96f836395449c5ab6d95bede0d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\62M7WA9Y\environment-8224c9e1bb22[1].jsFilesize
8KB
MD5a7798fbdde9625304320c5216e7b2278
SHA1c32b7cc0ec7ebe8f4e79688ae21255ada1065e1d
SHA2562a75ffb0aaf56cf7e485047745c77fb7269deb4b39b5547584235f2dd2ce7be9
SHA5128224c9e1bb22987a0586c3f4bdbab40c6c0b12acaad9a814003f1c0db1f919cf790b84df0ec6cff549ebceffe16f5559ee72075503ab157381a83b55ec803844
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\62M7WA9Y\github-36dce55f3db6[1].cssFilesize
115KB
MD5019f4e6c208662333a257958b5936419
SHA1bef42b71460fbbc465635f7264b2aeff85beb04f
SHA2569ef54dd85486b2821bad5c07011e358eb95c99885d97bdc6ba74e73d3d841554
SHA51236dce55f3db65e12751e4c63e82a29cf81f3dca449e90a76e2bb4410ea9c39b4f0fb098be3fde866902b2f3df33727614260c567e96feb5b0dab98f2ad3450de
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\62M7WA9Y\github-elements-32e113a37e3e[1].jsFilesize
36KB
MD5d70912ed63f6d85cbb6299ac0a8b54ce
SHA1824336a6c3ce954b51ede5ad2ceeb8c9751b353a
SHA25689b71912b4b14cc34758cd18aab304bc37a5ecd9a49e63266eb9d306b8eadea9
SHA51232e113a37e3e16d9e1c53804079230cb4c20b1a314b3e2da8353ec1cc08a6aa45823d90d09741ed872dd65beb11d39ad5ca583492935568d4246892adda9b030
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\62M7WA9Y\global-f09ebc6a944d[1].cssFilesize
278KB
MD5a906304dfe9299569e4a3e8fd89a8979
SHA1dc9edb819f5d49bca17f39c81569b5d1edd8c269
SHA256d1597253bc97e1b460c7183579973549849529f09d4711b978b51488ddc2098f
SHA512f09ebc6a944d3a9d68497d0e74ceb51e26c1cd90934b8c0cb82a15ed4e1c976031ed596320d5e42dc170e0c33819a184f4827c1f8d4c17d7926b46d29e6676c7
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\62M7WA9Y\primer-8d5f5de81af9[1].cssFilesize
348KB
MD52a97d2c66a6548a37f9bf4c452fd1c84
SHA11791b393bf4136c75414633d29195521441d4235
SHA2566b6f123aa13361e17f0a398bacb8131c21ae840e59d1702ea12b4caa2dc42720
SHA5128d5f5de81af9c7642d696eb1b0b3860e5f1b21f77628228a70b4c2d9ab6b360303576daf50828f34f2d1bf00413d5d640d478eb3fe3604df856f0b2cc6f294e1
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\62M7WA9Y\repository-389a4d55bc31[1].cssFilesize
27KB
MD5c31345ce5d9bbd861b8c569b5df71877
SHA18741333af90bd40bca42d16ca8419c03a777f8a1
SHA256660f44ad590cae51ea2fd60903365410d6a41d1acc88c16de9976c5110426028
SHA512389a4d55bc31975dda3ae43c7e2fe48139736672ad5d6b396002cc0563df2c64729a2ca0c00e576ba6ac1d5b541714fcc54bf3ced32e6702c3dbadf912618905
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\62M7WA9Y\ui_packages_failbot_failbot_ts-f344cfdbb3b8[1].jsFilesize
8KB
MD55a3b4166228296c44c852e80d5986e36
SHA19cc69faf735030c65b2870f2dddd76ba2a2fab3b
SHA2565e718adf73239932513155f70a0c2bb46e00babfa394d303c96a472aca9cc2dd
SHA512f344cfdbb3b835e7ca9af9f31f46f9a880651fad192120cb4a79c55d42046b6a0ef69c69d4e11019ca87cdae69d9d7ef1101276b683dbb331633e1888dd70b50
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\62M7WA9Y\vendors-node_modules_delegated-events_dist_index_js-node_modules_github_details-dialog-elemen-29dc30-a2a71f11a507[1].jsFilesize
15KB
MD5b6a276c5c85ffb793d0a9ed82a24cb6e
SHA1e3f235f3b5f96894214f8c038632262b460441fb
SHA256f065392ebd02bfe54dfa902c51348eaeb4b7a00c0463ad23a1f9e671150c11f0
SHA512a2a71f11a507482b9c26beabf60b83d3bb9d5fadba55b79ae456d41cc748b6e624932b9bac8308fe1d16c9422b20c98440c273ad9b00c724615cc07c5c158c5f
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\62M7WA9Y\vendors-node_modules_dompurify_dist_purify_js-6890e890956f[1].jsFilesize
22KB
MD580fa30c00e347b5bbc8b7ff9dc2c9f44
SHA1d085fe485ada77814949e92fa9e1b1eb05ba5eda
SHA256be77c75cf182f1830d0f90b8d7aee460f0108c6e7f5a143a524f709b9023c80d
SHA5126890e890956fafa8187511df1ac3c80a5b8d56be5ca989da251741f59c8d1186c0efa3d374f113b0ebeda124b78dedd106ea97f487ec04cf2a012e7bdd1048b3
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\62M7WA9Y\vendors-node_modules_github_auto-complete-element_dist_index_js-d6c09d7e4e48[1].jsFilesize
13KB
MD56bc4026c44957759005bf7fc5792773e
SHA1454edf5bda858b396845c240d86643b3758f5287
SHA2561f36b3eb6d7fbae684bf3920036a776d32173740e8099d1b2cc95db01d3e195c
SHA512d6c09d7e4e48d7d5eb1f549f971879a93787c2d36f936a8fff112a5c64d8dd484afc72ba5b0be9e2030e09a869b22ab218e7aa133106cc6f936287d106e44c4f
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\62M7WA9Y\vendors-node_modules_github_catalyst_lib_index_js-node_modules_github_hydro-analytics-client_-978abc0-15861e0630b6[1].jsFilesize
8KB
MD5bb0e7b5daaad560076f1959626fe8623
SHA1d54551de50a0af1d7a1d68eb83ed73dbf8330b33
SHA256c12b2709c4790c9c065cdc183bd4d877cc5d15cfbf1cfacb1244263ea81074ca
SHA51215861e0630b65ab8c41dc4ae2f8d9ce53aabafb12d066f8ce9e3532e6ef5fa5a0380c8caa6ee470b15fa1a5614a2f756a3a202ebcbb9e5a4457f0755b7d34f14
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\62M7WA9Y\vendors-node_modules_github_filter-input-element_dist_index_js-node_modules_github_remote-inp-b7d8f4-3867c6400aef[1].jsFilesize
18KB
MD510bcc98971de3b7c4849e0c110725ce7
SHA165f7192990ba4f40e3b03afa5bc1798ffd674f18
SHA2560b8e6d9f6f0c40d1c686d26c9e4ca14c8817055471a8ac2646438996da76e260
SHA5123867c6400aef1a79296637d817d8f7bc564517ce3b142566cbe1c0d3a1172e471a020635117f558206873d7effe28fb3cfe1fb9776b589dc57f824154eb329eb
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\62M7WA9Y\vendors-node_modules_github_mini-throttle_dist_index_js-node_modules_github_alive-client_dist-bf5aa2-1b562c29ab8e[1].jsFilesize
13KB
MD5f3fc91d783e4aca512744ca779f5563e
SHA1888fcb2874e8dc5e2311007833c3da05475d29ab
SHA25662b68187e1a4b7d9fd029df4a125a6f5c6a9cb95f4e49b087b56bfe8276a07bf
SHA5121b562c29ab8e339e7785365933f64f26d14f8800c00a08c667623d4bc5bd244bc80b567519ce781f8082ad736275506b4ea58c3bb1dbd5d260eb8e7c42f60e19
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\62M7WA9Y\vendors-node_modules_github_relative-time-element_dist_index_js-c76945c5961a[1].jsFilesize
14KB
MD52cabd818fb8745b2fc7d5f92594269b8
SHA188108fecb3839f06671c2a21e35163e0e414b2b0
SHA25655cdbee6ddce98f5c299a24fb9851501f46ff0cdd2ef3b2f7bb572a3940b462d
SHA512c76945c5961a4f5b2cb1f85bd3cbb35d5e81f611c3ba05543acfe870728e94e9719c9331b65f4c2c8723960c5ac1e9cac0495a892f049b41ed3ffbe899b93700
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\62M7WA9Y\vendors-node_modules_github_selector-observer_dist_index_esm_js-9f960d9b217c[1].jsFilesize
9KB
MD5683a7fe431bded8fbbf7b5189a1b8209
SHA12fb527473877ea06ec6b023690ce933c216c5d07
SHA256f87c5b59b8f353c8762f2e44e1f82feafab882a96a0fad135dc6fc1555872ab3
SHA5129f960d9b217c457d467a9510dd9797c4ec9df9a892c0a3e1746b2b87dca8ec191dc901e983bc509bc282004967b6fd588dbff5bf70bc7e20a5ca32bc7f1d772a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\62M7WA9Y\vendors-node_modules_lit-html_lit-html_js-5b376145beff[1].jsFilesize
15KB
MD581628c9093236d8e3cf835f708c30608
SHA1846b10531dfca6510051fc43abb8f9b5647a0433
SHA256daf381c316a5988c9116aa65c5816cbc8a958211b4c0b7d989ad6c9645757902
SHA5125b376145beffca1bfc6b0352c08819609a974b6170848699421208752a63f057869e0e4ddd23797b3a0c281c276d7fae580cf41bb5465c632aee58524b21e7ba
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\62M7WA9Y\vendors-node_modules_morphdom_dist_morphdom-esm_js-5bff297a06de[1].jsFilesize
4KB
MD511a69b0651264a2235a7059e9e677227
SHA1a467270f0455de4ab13fd33856a5341e38aaa6ea
SHA2563316d32e073b0f756d7e247b00b1a016f421973c50f1e3a9ce9f5b86e975cf9d
SHA5125bff297a06dec294d6d6eb1f52edf99e69871f6325e470c4792283524e0f65fdc701c1dd9c962f49cb42276cd108e7e4a71573ff575c971add30616c24101450
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\62M7WA9Y\vendors-node_modules_primer_behaviors_dist_esm_focus-zone_js-086f7a27bac0[1].jsFilesize
8KB
MD56822816845d932c1e93f68372f005918
SHA11dd14a539530e8d131ce29be5e5f84e4098b6a15
SHA25614d338ed3345cc8d74e239c812aa37eeee6126bc1ad8a17e4e2cf6ba8ee0adee
SHA512086f7a27bac0d285f5e0c849cebac7176f86edb18037d8ec4356c2b8892fd3f47e045f857eb673b213661eea17441192cdb7a76c807c2badcecff6b7901aba92
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\62M7WA9Y\vendors-node_modules_stacktrace-parser_dist_stack-trace-parser_esm_js-node_modules_github_bro-a4c183-79f9611c275b[1].jsFilesize
13KB
MD50ebf88b18838ca3926ece77027c1a096
SHA10f2edc27f5a23e5c2f699443c0d6572904b7bfd2
SHA256452a443efadf60da1b19b9bf50d6cbbb25ab9441a3e9fe73b678d9cd486d80b6
SHA51279f9611c275bf2087d6b063e2f4bf13feddab30c494b7bc968169fddf15a451aa26fe231ffe9e2eb4b9923477528ce638f5688cf4930953d372df69e822ffb44
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\62M7WA9Y\wp-runtime-cd3558f35c0e[1].jsFilesize
35KB
MD5f0da1a9f3b270c3c2e04ba5a91075089
SHA10aa699e58a2e1e7f2cb62d640f63fb4e10d87ff6
SHA25677def833b39e6669b32df7ebf51e6f51f335c01c904cb965c189fe23d95da69d
SHA512cd3558f35c0ee6dd3d823d015423ea9b235f6e1436f3148f039308d7ff0af96f9065be75b4f91f3211c56aa9df386a48b6c76561db2907e8b84c2be56f784a98
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CZKH2CLU\The-MALWARE-Repo[1].htmFilesize
156KB
MD5531cbc92f63dd5dd7be2dcdf39ceb1a3
SHA136fbc3d58f47e3143d8981173cf2988ecb724de2
SHA25689b1000b647488b529ebd05c5247f28c6efee34d615d581c1b5129a015876858
SHA5124c526222eb02cda0d6eb8c1edfdb3a3b62c8bdb55111503bfdf94a80d739264a13d0e37d9cf4f46d661ae695a6419e5b5610d37dcb6d824e208de66ab4d5ba41
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\NWU07X5S\dark-a167e256da9c[1].cssFilesize
110KB
MD516bf89ddba1dd57f22db711fabe734a4
SHA1957574454d6cf7418b7ec21ee68b9f6cf9121ea5
SHA2569b8c1638bd260c5ffc8f57ce371ef17210117aae67ffce5afbf141feec1c4c53
SHA512a167e256da9cfd581c6d23cf0e71e8df6f863b162e9d1f8d32baf91adc0f89b7d75f059061ac6b643230821b6a82bcfa356bd64758a2f337e95cdceedaabdb09
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\NWU07X5S\light-0eace2597ca3[1].cssFilesize
110KB
MD5c98edbdc81b370dec6c1635959f3e6d1
SHA1fc7c9fd6033bbc608ac6b77b5b481c7bfe162e75
SHA2567214039084d73a8ac3457904dce9dba06f30e82c1b62bf186e791502aad5c41c
SHA5120eace2597ca30668d561697e3275158ede25e98bb9af70b059f8a1edcd139ce4910c9e04a1d739918615d4042fd4c5d16f6d5ec0983c9785537f55aba10cb64a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\NWU07X5S\primer-primitives-971c6be3ec9f[1].cssFilesize
7KB
MD5a22465990aba9644964f77d64b0544cc
SHA196e85e4c1dbab0a825931a0efc47530c5a985886
SHA2565a5714b3410db5a37ca06954c5e34d1332a511683276730e6c85105535b9328f
SHA512971c6be3ec9f2411afd2d8fa0a9d223eb9fd184bb36c446043d6892fd601a78b740082422544025483f0b24ebe554848e37b78eb09969a0c1ba353b91decab1f
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\FVQNFO9U.cookieFilesize
169B
MD51a9852b2f23436768c58ade71880efc0
SHA1b016f8a4bf51daa320d26dcf69652bb7aef954ab
SHA2562d4840743873c5aa49e5f971f761c1bdf63ad4165610337185d47e1b3b330234
SHA5123954ba6fb75264b91001e63a3a0ce953bf6e906b54ebaa345643e24d6d39953abb25ee547f550d1907050bb31bc24bf07c7a561f11963ed10634a128b700cce2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\50CD3D75D026C82E2E718570BD6F44D0_D222662A57BAA60D2F5EA0D2CC7B2F1CFilesize
314B
MD57d453b8786d0ad283fc8af24a98de123
SHA124d6e79526a97579dbb5386ff281543fc484aba6
SHA25647862153366ec54a79876c8872b76c7502190c60e19b0e475bd358ac8ff946bc
SHA512211707b988ad1765af9cd8344b8c8ed667dd29b07d6f87d0cdabe35f921c1e329abd8801d258dec0f2a5dc806c2f240aec780e3f31dc0f4a233b2e9b7b11ef02
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565Filesize
471B
MD5528047f8e8d53329886a6f73112a2643
SHA162d9dda9dc928af4f7a0e62a47c1a1062eaebf3b
SHA2562a6153c15246bf32fc98314aa11630009283757962dbfa7d989e8977cc853bb8
SHA5121e458c6109aee6bf4d3898c91c22684149d96226893521d9b7ba342ad2549caa85a49800e520dba9e990d98d691afdfeb7eddde1374662be380f0129a0b3ec6c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\50CD3D75D026C82E2E718570BD6F44D0_D222662A57BAA60D2F5EA0D2CC7B2F1CFilesize
408B
MD5049ab503f7c55a052d496421cf7870eb
SHA118e6fbacde674943dc10b10ef5599d479f5aae6c
SHA2565a764051ebb21ddbafa55cdb97cf153d6ecdb5ed34f0eacc6c6bf61ae7eaf6ae
SHA512a0cfc746c15d69972636a5fda3b71c9c24c2c5b5e18647ea52b5326bc5c24b3fa189ef0f8d948a7f498d5372b208c0e9ca478d897e36d6161b3a84c13932dde4
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565Filesize
404B
MD519b96216fcb3336ced13d150c6702c1c
SHA14e8f306332f44690c22cda838f72aa82f9bfad6d
SHA256a3c44b3a5135607c65e4a051387ef85004e377d06b8ebf3ba7221c9cb320b2e6
SHA512946f8c3cf286c04104059d4cc72f69cdad535220c45f71619a09ac248e0e65d00889ac420a9bd24d37f0557899d155ef93b7181fafae157a94379ea6eae5846e
-
C:\Users\Admin\Downloads\Unconfirmed 80665.crdownloadFilesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
\??\pipe\crashpad_2808_IPSTBWITYLITOIYBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2712-298-0x000001F027FF0000-0x000001F028010000-memory.dmpFilesize
128KB
-
memory/4116-205-0x0000021E1CE90000-0x0000021E1CE91000-memory.dmpFilesize
4KB
-
memory/4116-0-0x0000021E14A20000-0x0000021E14A30000-memory.dmpFilesize
64KB
-
memory/4116-16-0x0000021E14E00000-0x0000021E14E10000-memory.dmpFilesize
64KB
-
memory/4116-204-0x0000021E1CE80000-0x0000021E1CE81000-memory.dmpFilesize
4KB
-
memory/4116-35-0x0000021E14C70000-0x0000021E14C72000-memory.dmpFilesize
8KB
-
memory/4480-186-0x0000017DAAF80000-0x0000017DAAF82000-memory.dmpFilesize
8KB
-
memory/4480-188-0x0000017DAAFA0000-0x0000017DAAFA2000-memory.dmpFilesize
8KB
-
memory/4480-184-0x0000017DAAEC0000-0x0000017DAAEC2000-memory.dmpFilesize
8KB
-
memory/4480-182-0x0000017DAAEA0000-0x0000017DAAEA2000-memory.dmpFilesize
8KB
-
memory/4480-178-0x0000017D9A060000-0x0000017D9A062000-memory.dmpFilesize
8KB
-
memory/4480-180-0x0000017DAAE80000-0x0000017DAAE82000-memory.dmpFilesize
8KB
-
memory/5660-621-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/5660-633-0x000000000AD30000-0x000000000AD64000-memory.dmpFilesize
208KB
-
memory/5660-643-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/5660-12918-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/5660-22870-0x000000000AD30000-0x000000000AD64000-memory.dmpFilesize
208KB