Analysis
-
max time kernel
233s -
max time network
254s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-02-2024 00:57
Static task
static1
Behavioral task
behavioral1
Sample
master
Resource
win11-20231215-en
Errors
General
-
Target
master
-
Size
157KB
-
MD5
02f3de727b413d884c230b559e4fbe19
-
SHA1
589830e09b2a00d7580be1adc9d26975fd88f6ad
-
SHA256
53a51984004618984c2817af329f318cffc49b30b5e45e41017b7c0b9c2d5c6a
-
SHA512
de2667b3da03ee9ce6914a247fd2a1deb8e5a3bb1d05abc3ae4e41291c55ac4321dd9225c50bbb37a9b3eaa199572cb8f71437d772fac8a61f0d322fbf5a24bf
-
SSDEEP
3072:AofpYYRMBy1cvxC20BOjS+rzkzZfgIsWnZEic/AzL2DuqJRBf62gVSgE29xxspm4:EDuqJHffgVSgE29xxspm0niivuz3k9Nn
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
CryptoLocker
Ransomware family with multiple variants.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Documents\\nigga\\Annabelle.exe" Annabelle.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" Annabelle.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (549) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral1/files/0x0003000000025cca-808.dat mimikatz -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe Set value (int) \REGISTRY\USER\S-1-5-21-771046930-2949676035-3337286276-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 3684 netsh.exe 3592 NetSh.exe 5180 netsh.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP" Annabelle.exe -
Sets service image path in registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssqlaq\ImagePath = "\\??\\C:\\Users\\Admin\\Documents\\nigga\\ac\\mssqlaq.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssql\ImagePath = "\\??\\C:\\Users\\Admin\\Documents\\nigga\\ac\\mssql.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vyzqpyqtpmgudr\ImagePath = "\\??\\C:\\Users\\Admin\\Documents\\nigga\\ac\\vyzqpyqtpmgudr.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\snmnksogcljiaz\ImagePath = "\\??\\C:\\Users\\Admin\\Documents\\nigga\\ac\\snmnksogcljiaz.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\eitsfabstdusncm\ImagePath = "\\??\\C:\\Users\\Admin\\Documents\\nigga\\ac\\eitsfabstdusncm.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\rpebqxjmesyimgvxy\ImagePath = "\\??\\C:\\Users\\Admin\\Documents\\nigga\\ac\\rpebqxjmesyimgvxy.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\gmrymzpzqsawkp\ImagePath = "\\??\\C:\\Users\\Admin\\Documents\\nigga\\ac\\gmrymzpzqsawkp.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zjmzabggegamayz\ImagePath = "\\??\\C:\\Users\\Admin\\Documents\\nigga\\ac\\zjmzabggegamayz.sys" mssql.exe -
Deletes itself 1 IoCs
pid Process 1724 CoronaVirus.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe DeriaLock.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-4187608E.[[email protected]].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe -
Executes dropped EXE 8 IoCs
pid Process 912 system.exe 4960 7E88.tmp 4576 {34184A33-0407-212E-3320-09040709E2C2}.exe 5076 {34184A33-0407-212E-3320-09040709E2C2}.exe 5712 nc123.exe 5784 mssql.exe 5908 mssql2.exe 6628 Annabelle.exe -
Loads dropped DLL 1 IoCs
pid Process 1204 rundll32.exe -
resource yara_rule behavioral1/memory/4712-789-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/4712-793-0x0000000000400000-0x0000000000438000-memory.dmp upx -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-771046930-2949676035-3337286276-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" {34184A33-0407-212E-3320-09040709E2C2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Documents\\nigga\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\USER\S-1-5-21-771046930-2949676035-3337286276-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Documents\\nigga\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Documents\\nigga\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-771046930-2949676035-3337286276-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-771046930-2949676035-3337286276-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Searches\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: Cerber5.exe File opened (read-only) \??\s: Cerber5.exe File opened (read-only) \??\y: Cerber5.exe File opened (read-only) \??\l: Cerber5.exe File opened (read-only) \??\e: Cerber5.exe File opened (read-only) \??\h: Cerber5.exe File opened (read-only) \??\i: Cerber5.exe File opened (read-only) \??\p: Cerber5.exe File opened (read-only) \??\u: Cerber5.exe File opened (read-only) \??\b: Cerber5.exe File opened (read-only) \??\m: Cerber5.exe File opened (read-only) \??\o: Cerber5.exe File opened (read-only) \??\t: Cerber5.exe File opened (read-only) \??\x: Cerber5.exe File opened (read-only) \??\a: Cerber5.exe File opened (read-only) \??\j: Cerber5.exe File opened (read-only) \??\k: Cerber5.exe File opened (read-only) \??\n: Cerber5.exe File opened (read-only) \??\q: Cerber5.exe File opened (read-only) \??\v: Cerber5.exe File opened (read-only) \??\w: Cerber5.exe File opened (read-only) \??\z: Cerber5.exe File opened (read-only) \??\g: Cerber5.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
flow ioc 69 raw.githubusercontent.com 8 raw.githubusercontent.com 64 raw.githubusercontent.com 65 raw.githubusercontent.com 66 raw.githubusercontent.com 67 raw.githubusercontent.com 68 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe File created C:\Windows\System32\Info.hta CoronaVirus.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-771046930-2949676035-3337286276-1000\Control Panel\Desktop\Wallpaper = "0" $uckyLocker.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-36_altform-unplated.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\AppStore_icon.svg CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\NOTICE.TXT.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\PresentationFramework.resources.dll.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateSquare70x70Logo.scale-100.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-150.png CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\sawindbg.dll.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\UIAutomationTypes.resources.dll CoronaVirus.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.dic.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms.id-4187608E.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\chrome_elf.dll.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\osmmui.msi.16.en-us.vreg.dat.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_export_18.svg CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner.gif.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\ui-strings.js.id-4187608E.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\ui-strings.js.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Hx.HxT.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintAppList.targetsize-20.png CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\ui-strings.js CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected].[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\dd_arrow_small2x.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\System.Windows.Forms.resources.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Wide310x150Logo.scale-200.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul-oob.xrm-ms CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll.id-4187608E.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Keytip.js CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_pdf_18.svg.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\eu-es\ui-strings.js CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\main-selector.css.id-4187608E.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_thumbnailview_18.svg.id-4187608E.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_uk.dll.id-4187608E.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\NewsStoreLogo.scale-125.png CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon.png.id-4187608E.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\de_get.svg.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Outlook.scale-250.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@fluentui\dom-utilities\lib-amd\setPortalAttribute.js CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png.id-4187608E.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.id-4187608E.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ui-strings.js.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-fr_fr_2x.gif CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sk_get.svg CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDR.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinStatusBar.v8.1.dll.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\x86\msvp9dec_store.dll CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11wrapper.md CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-disabled_32.svg.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\msipc.dll.mui.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libsubsdelay_plugin.dll.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt CoronaVirus.exe File created C:\Program Files\7-Zip\Lang\yo.txt.id-4187608E.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL096.XML.id-4187608E.[[email protected]].ncov CoronaVirus.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\7E88.tmp rundll32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 3224 4712 WerFault.exe 153 5340 31476 WerFault.exe 191 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 956 SCHTASKS.exe 3984 schtasks.exe 1328 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1348 vssadmin.exe 716 vssadmin.exe 4876 vssadmin.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-771046930-2949676035-3337286276-1000\{6A6ED6C9-3C2B-4DBF-B959-93AFFDB8B55E} msedge.exe Key created \REGISTRY\USER\S-1-5-21-771046930-2949676035-3337286276-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4280 msedge.exe 4280 msedge.exe 4332 msedge.exe 4332 msedge.exe 3884 identity_helper.exe 3884 identity_helper.exe 564 msedge.exe 564 msedge.exe 1496 msedge.exe 1496 msedge.exe 756 msedge.exe 756 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1844 msedge.exe 1204 rundll32.exe 1204 rundll32.exe 1204 rundll32.exe 1204 rundll32.exe 4960 7E88.tmp 4960 7E88.tmp 4960 7E88.tmp 4960 7E88.tmp 4960 7E88.tmp 4960 7E88.tmp 4960 7E88.tmp 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe 1724 CoronaVirus.exe -
Suspicious behavior: LoadsDriver 32 IoCs
pid Process 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe 5784 mssql.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
pid Process 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeShutdownPrivilege 1204 rundll32.exe Token: SeDebugPrivilege 1204 rundll32.exe Token: SeTcbPrivilege 1204 rundll32.exe Token: SeDebugPrivilege 4960 7E88.tmp Token: SeDebugPrivilege 2648 DeriaLock.exe Token: SeBackupPrivilege 5384 vssvc.exe Token: SeRestorePrivilege 5384 vssvc.exe Token: SeAuditPrivilege 5384 vssvc.exe Token: SeDebugPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeLoadDriverPrivilege 5784 mssql.exe Token: SeDebugPrivilege 5908 mssql2.exe Token: SeShutdownPrivilege 2924 Cerber5.exe Token: SeCreatePagefilePrivilege 2924 Cerber5.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5784 mssql.exe 5908 mssql2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4332 wrote to memory of 1276 4332 msedge.exe 80 PID 4332 wrote to memory of 1276 4332 msedge.exe 80 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 336 4332 msedge.exe 81 PID 4332 wrote to memory of 4280 4332 msedge.exe 83 PID 4332 wrote to memory of 4280 4332 msedge.exe 83 PID 4332 wrote to memory of 2420 4332 msedge.exe 82 PID 4332 wrote to memory of 2420 4332 msedge.exe 82 PID 4332 wrote to memory of 2420 4332 msedge.exe 82 PID 4332 wrote to memory of 2420 4332 msedge.exe 82 PID 4332 wrote to memory of 2420 4332 msedge.exe 82 PID 4332 wrote to memory of 2420 4332 msedge.exe 82 PID 4332 wrote to memory of 2420 4332 msedge.exe 82 PID 4332 wrote to memory of 2420 4332 msedge.exe 82 PID 4332 wrote to memory of 2420 4332 msedge.exe 82 PID 4332 wrote to memory of 2420 4332 msedge.exe 82 PID 4332 wrote to memory of 2420 4332 msedge.exe 82 PID 4332 wrote to memory of 2420 4332 msedge.exe 82 PID 4332 wrote to memory of 2420 4332 msedge.exe 82 PID 4332 wrote to memory of 2420 4332 msedge.exe 82 PID 4332 wrote to memory of 2420 4332 msedge.exe 82 PID 4332 wrote to memory of 2420 4332 msedge.exe 82 PID 4332 wrote to memory of 2420 4332 msedge.exe 82 PID 4332 wrote to memory of 2420 4332 msedge.exe 82 PID 4332 wrote to memory of 2420 4332 msedge.exe 82 PID 4332 wrote to memory of 2420 4332 msedge.exe 82 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\master1⤵PID:4440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc0a583cb8,0x7ffc0a583cc8,0x7ffc0a583cd82⤵PID:1276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵PID:336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:82⤵PID:2420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵PID:2084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:3872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:12⤵PID:3256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:12⤵PID:3708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:12⤵PID:1904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:12⤵PID:3724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:12⤵PID:2964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:12⤵PID:2012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:12⤵PID:3372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:12⤵PID:5096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:12⤵PID:1952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:12⤵PID:1176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5908 /prefetch:82⤵PID:1556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:12⤵PID:1644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:12⤵PID:1948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:12⤵PID:1752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:12⤵PID:1132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:12⤵PID:1156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6668 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6660 /prefetch:82⤵PID:2468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:12⤵PID:2712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7100 /prefetch:12⤵PID:1936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2604 /prefetch:12⤵PID:868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:12⤵PID:564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6332 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,14181563627958092354,10338509147728924209,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6928 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1844
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2828
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:564
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3388
-
C:\Users\Admin\Documents\nigga\$uckyLocker.exe"C:\Users\Admin\Documents\nigga\$uckyLocker.exe"1⤵
- Sets desktop wallpaper using registry
PID:3912
-
C:\Users\Admin\Documents\nigga\7ev3n.exe"C:\Users\Admin\Documents\nigga\7ev3n.exe"1⤵PID:1748
-
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵PID:1112
-
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
PID:956
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵PID:2196
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
PID:4836
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵PID:2756
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵PID:1916
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵PID:3524
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵PID:1096
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵PID:5104
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵PID:2640
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵PID:3012
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
PID:1744
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵PID:1500
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
PID:3388
-
-
-
-
C:\Users\Admin\Documents\nigga\Annabelle.exe"C:\Users\Admin\Documents\nigga\Annabelle.exe"1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
PID:2128 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1348
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:716
-
-
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
PID:3592
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:4876
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 00 -f2⤵PID:31668
-
-
C:\Users\Admin\Documents\nigga\BadRabbit.exe"C:\Users\Admin\Documents\nigga\BadRabbit.exe"1⤵
- Drops file in Windows directory
PID:4560 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵PID:4044
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:1748
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1152704909 && exit"3⤵PID:4468
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1152704909 && exit"4⤵
- Creates scheduled task(s)
PID:3984
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 01:19:003⤵PID:1960
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 01:19:004⤵
- Creates scheduled task(s)
PID:1328
-
-
-
C:\Windows\7E88.tmp"C:\Windows\7E88.tmp" \\.\pipe\{1E1645A2-CE3F-4FF1-9159-1A8CA3142230}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960
-
-
-
C:\Users\Admin\Documents\nigga\Birele.exe"C:\Users\Admin\Documents\nigga\Birele.exe"1⤵PID:4712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 2842⤵
- Program crash
PID:3224
-
-
C:\Users\Admin\Documents\nigga\Cerber5.exe"C:\Users\Admin\Documents\nigga\Cerber5.exe"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2924 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
PID:3684
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
PID:5180
-
-
C:\Users\Admin\Documents\nigga\CoronaVirus.exe"C:\Users\Admin\Documents\nigga\CoronaVirus.exe"1⤵
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1724 -
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:30476
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:30584
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4712 -ip 47121⤵PID:3592
-
C:\Users\Admin\Documents\nigga\CryptoLocker.exe"C:\Users\Admin\Documents\nigga\CryptoLocker.exe"1⤵PID:2376
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Documents\nigga\CryptoLocker.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4576 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000002403⤵
- Executes dropped EXE
PID:5076
-
-
-
C:\Users\Admin\Documents\nigga\DeriaLock.exe"C:\Users\Admin\Documents\nigga\DeriaLock.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
C:\Users\Admin\Documents\nigga\Dharma.exe"C:\Users\Admin\Documents\nigga\Dharma.exe"1⤵PID:5344
-
C:\Users\Admin\Documents\nigga\ac\nc123.exe"C:\Users\Admin\Documents\nigga\ac\nc123.exe"2⤵
- Executes dropped EXE
PID:5712
-
-
C:\Users\Admin\Documents\nigga\ac\mssql.exe"C:\Users\Admin\Documents\nigga\ac\mssql.exe"2⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5784
-
-
C:\Users\Admin\Documents\nigga\ac\mssql2.exe"C:\Users\Admin\Documents\nigga\ac\mssql2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5908
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5384
-
C:\Users\Admin\Documents\nigga\GandCrab.exe"C:\Users\Admin\Documents\nigga\GandCrab.exe"1⤵PID:31476
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 31476 -s 2562⤵
- Program crash
PID:5340
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 31476 -ip 314761⤵PID:30964
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\7a6648215334409ab62ace7211dfa7bc /t 684 /p 26481⤵PID:9696
-
C:\Users\Admin\Documents\nigga\Annabelle.exeC:\Users\Admin\Documents\nigga\Annabelle.exe1⤵
- Executes dropped EXE
PID:6628
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39da055 /state1:0x41c64e6d1⤵PID:31360
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004C41⤵PID:26000
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
Filesize
152B
MD505ed8d7350c6abddb2413582af13b728
SHA198b3e6793352038355ee54fc58828e5ca1cf0f77
SHA256878b0ffac96b1428cb415ab15b289258dcf9fc175ac2571622e4dc1219f32c01
SHA512b80bf631b56588daf08570c05aac9a67cee414403149c223a005a7dd9c81b5e8d4c6f175815106f039d47c1bfef875ecbf65efba106d5107b137f2aabe446058
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\679a70bc-e9c7-41ba-b227-d3188b4089af.tmp
Filesize5KB
MD593bf9653645646afaddef16d01498e7d
SHA18560fd6cfc4f766d6a480136de7a68eff4d6e69d
SHA256e78709edaa667f1c11dbda7ff6ab60d8bab58f842f1e64ffb62b3f49e85ddf5f
SHA512ae2560cce0f0b159926956304e4d67d21c5f5a0661f0a8211db87c4e9e12a1f175eb72640eb5100945f931b400492467ab27fe80bca3afd9a21360274a2cc7dd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD597887531124b05c7f59e595f32c5c78f
SHA1991c268c33f930568945bee835c7ce3ca77000a2
SHA25618832bedd1ddd2dae22eec932c9abc21259bffbcfe4464236aaa6caeb79ff656
SHA5120aaade7a5da0eeb6f1ee0a534ca03a9f7e839f5088209612173855b919b19a141f96e58bd85ac147c7cb420a8ddc480ac3d79558d481837a19da2fa07fe8eddc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD54ab545e1eec784b7d8d761aea6392917
SHA173c72e5ff81e04687b8b0180326812e22459c6da
SHA2567ddefb0a2598e3d1eae19d3934c294485e3a5ef44c653b06778ee6ffd58f4b77
SHA5122c61474f11dee89c977dce6d149aca2348d6711bfb067839f904a8440e3d6620d73bb551454976e977bddd808c5b7867e228accbbbe09cade803e691b36e0c7f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5d53cbec8abd9cc4d4a969eca250fa598
SHA14b7377965acf1e549f61d09e29c6d6c2e946677e
SHA256ee76a86258c7d20ae121906c7629e8be2ac9b74cfd3931ea62b84f525776ac8b
SHA512397fffab1d19fc27c7e5822aa0b1a1ac7c31e5277a7e0a0780309ed2b8ca830492fc8923c687cc8a2cbec4fbaa2ec4a43484b9770b657db88bb1b5cc560fe5d9
-
Filesize
1KB
MD50b3ef3af9e94782bd2e27d3138b7b027
SHA1ed95fab7384496b1bd9146b2128bde93323a867b
SHA25624790044e744edfb0aba5edc780b39c7bf47bc914c2ace68686c3a1174711ca0
SHA5121d93a7285a9654c9f2f48acc5d17c57690204c64123b7b98d103e07b13aaedc290fc30b0351cf25f0112fe2d3f1ec256faede4e494fd98a311cbb0fabd91dd49
-
Filesize
643B
MD5442fc0453c72e0b4d465fe00bdcfe979
SHA146cebdc409885cdd242ee7bd18bd9b6f9446b515
SHA2562e41b98d86a1f3cc0ce9f21e4b9bcc695c48702f7bb7913ae96904aca45bc0e9
SHA5125380e7ff4923339b61006a6a483a07c01290a68c0db7b3a40b7d3ab939e3b0d1eec1dc48e58ffdfd2a24182286b272d19aea4b689581268b5d5fd98d3000bd1b
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
4KB
MD5876ec196ca6fc3f42bb6711244c9a2a3
SHA1446c04905300cbc1090c79c75a2d1cd5aa4f9332
SHA256274bd634907e53bbee30c0d067f31b597513bd28a804a7a6ee01881f3f9c57ef
SHA512c9d106ea9ad2329885ec61e4af73ca6ef9ecf5141a7cacef7ab7650697ca9051f98a2a52cf703431ae2ec8289d66196a4336fd398c193d9490622cfa571cfb48
-
Filesize
5KB
MD5bc34d09b0feae353e4db28a2e52c2583
SHA1fb363ca008eca409c3d94bf6cb36797eed3a68a4
SHA256b3bf055c6bab05075761ff6176dd673dabed21206736d5f961c84659b9a044cb
SHA512cc80bcf8858113bf4eb56d7dcefd471d270447b40f321764b57e3ea91d2026874b032d465c4d83dc15e23449b43a2cd264636495aacc72d482effe4716a24127
-
Filesize
6KB
MD5490cc1f668003e508133ce4bb7630394
SHA1ef51280df55a87f449549fb01628bcd171aa2091
SHA256cdf534d875feafe161e9cb9bb9af542cc08392f4773a54b1fe2c037498c62ae4
SHA512803d66a39058d3d89130fe9339bbd16ef2d1004fa40244f45fbbd55c5a6aa34004bc3e4b262ab71ed6c90acb1a456be7f924c81402be186e38c111451de04b5b
-
Filesize
5KB
MD5b57dcc1215e3ee0e31467f353efd4a1d
SHA1568892257a50cf9561ba5e742e518bc308f3445d
SHA256954a36145a0930f0bde22c7ad6edfd16f2c19234481cb25eb7753ea67c83b42e
SHA5120eec41a373130347040e8b78ec9ec018f13dfd131914fbcfd99c861b8b23cefca7f865f7cc692cb1892f7f0871f669546984cf6f361c394c57b5c1eb7959b0d2
-
Filesize
5KB
MD570f4f77cf20f42cc80090282c2be3d49
SHA112451a44b634c9ce1ca179cb3c2bcca5b04bb299
SHA256efc94eaec69e8a09b5fd61d2c47c78535eebbfe086be750de8aa0f43d5c81ed1
SHA5122da9294aee6b3e254c1e16693cee281a25ec1fff296908c066fc6302a8fbe57bddb6c68ef2d6c723a460715726babd7f71b2b36542174594a17bc343ef4c6c55
-
Filesize
25KB
MD53da3cf652acf7e0fee298963e8cb77d3
SHA18d35e8ba0767c10324335e8fc8f5c422ece4e504
SHA2569b436ba7a14d3947bfe73fa9bd581f6fbf0acbf26e97a3a54d6d032d19f8cf64
SHA51289e9555edd366fedaf79bf4c6da816a69fb220c987337369511c4422034cad486338a261eb6954d000dbfa636c969d04b65de62bb6df9c023ca5e11c892ee83d
-
Filesize
1KB
MD5b615d44ebb68f9c188228c35e28ea938
SHA13f71f7dabe7f10c6362a1e3b1481ac49be13f0ab
SHA2562897b3efcd04a2d0189fc43fcd4e3396b527b5365ed15ac8e87721a4a32807e4
SHA512379593d37c20c40decdc0b256bd3f39400248257f62bd2cbc9984f5ae9cea1b1d4fa8c42807bf61b4b073f23f64d2c644607970c09793eef4a22bf3807ca5d4a
-
Filesize
1KB
MD5ca15d062517271b888f5e9534af328d7
SHA18376641506cf8dde85d55cbce01b78e729ebcded
SHA2563bb51ebc9b2a63cf9c30fa763552be4ebe59ad18b5777d164142712ef5856f56
SHA512daf0fd2e3a2051c21e08ffa329620f724946bafc2c12545db952b4500771e91822a8c98f849d390183a08acb5bcbdaa6dd3ff781dd19bdd4299a590bfd76a943
-
Filesize
1KB
MD57e24d1badd3872f144fbca0939974e95
SHA1bca09e96458a66ad0c7e55ff0162757c5f117053
SHA256415e50d219fdc6534d2c67bfd4ffd4e1af708815cd9896019e0e08f5043a9df1
SHA512b42495043084bfb7256e103900be526226149f9e72489ed9173075446e7a71c623d1d916bb0272560a4737d03a4253e64a151210277a0ac8bb7b34e52ce49ea0
-
Filesize
1KB
MD54efb9bf453bbee3a0ca6640a986e3abc
SHA1666c142d5f1a8ce4e3a15d702269f7a38a64d62b
SHA256d6f22ce06c30cb6e1178851c778591902ae1086b243ddf46187c303dd1795a8a
SHA51274dc2f2f89bbd533b861dc8affc33d9a68fb5bc26b9ebfe3e2c48894c909728d24fb5c365373804ca77fa88ef027cfce08aa8f11cd4c23f9485ecd734d962301
-
Filesize
1KB
MD59a978a3e06acf9625f139f3211306296
SHA1ae2796d55628f532fc2c8bc21f1d5307681f877a
SHA256ce419c2d3e7b07adbdbfca679154ceefe48a5bb2f4ccc30700ecc7ea08f238c1
SHA512e6d47d39d1f4f371157a0e88511cc13fa1449f38b7661511e8767f84e6b5b1e5ea4abeebe5a8196c1361e35e7c15599353390535a35db84c9016893baa6e7ff6
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5d3e9649b16614fd31c99f1ad3b8451e6
SHA1992664d50eed5085b906530af25c36f05bb54119
SHA25630e498864df98649d7e648fedc2f6a511aea708f71f21189ae60c87d49d8d0aa
SHA51250d67b2fb771728a820a2979510b897a98b6d16dd81e530daec95144a5bbcfa0e111b8d9c560ce303d5570c0ed6a67e3dad928d4657e68872c7a3acf21666e44
-
Filesize
10KB
MD5795216bd6226a25d696bc5b5c232a4e7
SHA198576133c9815f97fcb5d9e3fda603a4bf028a6f
SHA2567442fe9fdb0e77761e27d92d15acabbebb4f49bec589b05982d4a4d20d518f89
SHA5121f76ba5a0b9160f7df70124ca20297d28cddb9bda74f8b50e64cab18e037373f0070585d73bb75f3374f37c8e136f49dd51d71d90ccd874a94fcf37c34542a2e
-
Filesize
11KB
MD5154ca16ad8707105959d3b3fd773e758
SHA140f19d7a0a6cd873ff93304896a65179f6da865c
SHA256b9ac1fe7f473caee57c52d0064471da7b30f2e3c6cff165fd51b1d37db6f87a6
SHA5125ee9dcb80419ddf7b9ae82d5819b7c67ed4d070018cd2b76562213b31a819c74d992c838048ff505d8d5effc9b460f4ea3f9851b0eec6265dc28bb2d2d7a030a
-
Filesize
11KB
MD52baf0a0710137f962d2b54502bba27af
SHA17c36d60e90f1afa8f5e95ccee27d35c78dbe01c0
SHA2568868893a24499fa7ca748df01b5d2cd2885d197d9503ab3ea3ccbc2a3f800fc1
SHA5127342a9fc1b73165bbd520095ebd8d68ba628592e9b144e35014683cf61acfe10ad2c6a43a6f9e49d44b3950e4e532af15ec2b38cbf87e7873c4cbf65834fd613
-
Filesize
62B
MD5ab76964d3a4c3e4a16ee77c892acada1
SHA155f89bf16dcb5b89d488b6b3f1f0f20690cf5a97
SHA256c713022ae086fd03921cb151a4c2c4cee022b4833942a116a8890c0d4a732b0d
SHA5129905311518d5302680c530f873aefb63f089b45bd4c54c2958b4d8e00b873fb240c40931cb627bda98afa29769b32d1931cf8c570d2cd1afa61c1e61f64ec823
-
Filesize
315KB
MD58bf56cfb33a536edfe7155f1634a5288
SHA15b186dfb7810d7e9a4cb7475dfea3334e8fdddda
SHA2567c5c89bc4988c7ef7c95ba065cf12c4b16a52cf0b5f31ce73287ae887e08b929
SHA51223dbc3a80a8c623631b9d9d78bb51777dc8eb643818b16839fd5d41120f026f832ff420728d90d516618888089e74e554041238a6bd679032592dbd033c49f41
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
Filesize
124B
MD554ba0db9b8701f99a46ae533da6fe630
SHA12bd5aea2aceea62deb7ba06969ff6108f3381929
SHA256bb1455630e747e00b60910f9eadf47641ecc46e917034d08530430569d8eaeac
SHA51227fa4e43cf1a1b79a597cfb28aa29457aa096d8c485f84d7b2754268148bfa7430e53abdee4897f911af51aabbae3942ff57cbae02765bbea27e1c181bfecc1a
-
Filesize
11KB
MD5efb59856d6da6005405673e22c81eb68
SHA1d34dcc9df9c4f8b172a9e43c204ee38a2a5febe6
SHA25617f29595124e30cf515a8fe04239437b32f6a0edbcbd22bcfb373be3bd2fbc23
SHA51271898e1fc305f5d992bcf7949eabf3ad52290df29a3742ebbabccae407ba2b676fb6e74a8c5c1867be501ad6d22c46780d45e8d3befecbc2f502d76d4834ffa2
-
Filesize
580KB
MD57691c7ef26037a70d5798e3fbbfee9c4
SHA185bd1a80eb4b200e07e80969003b79b823783710
SHA256a387527d0f2f25c84a7b04607e83e2779e815289368e4ced30eee338fb1c2bfd
SHA5126ad4c7592d1e2b49285e71a7704a32da41631b66cec8edeed6fd4218c4f9811cbc6a6f3a5be618367c6802c8f1c1fdbf039576ab89900f904af3807563fa5e6b
-
Filesize
11KB
MD5b53435b65e8e54e8ef0821ef8fc18858
SHA1a2875aa6726884bbd8a6b7662cf1ea4a132471b4
SHA256fe6a36cf7c5426a71dd305cba3e45fe3e069e6a951a9880dc6110f7604b8f11f
SHA5125ed6f091f3a9f97a7c024fd8e2b720380c6310d533e53acecf08ecc6ee9f03a7b54290921bea9adee917de72ff9f707c21d2b3096c8e290579dba2adf90a28d8
-
Filesize
960KB
MD54065e73cb294999a0b221ed1ba146c68
SHA110f1b7cc7b96f8974adcb39b8248e49bd418e501
SHA25687e0347268c7dbedffcdc9e5bbc4892cf6cb3083aa95d9d58830b02765e8ddde
SHA512abacaccadeec7bcd4fbf8057ce4255ff9834c8c118d666b40169a1dd9a2b685d5ce6d4f0a8bf6b61aa111f669d7523af358e5c79e71932299d353e179e89a046
-
Filesize
11KB
MD5cfaf5a3cfd727880ffa9cad8378ab27d
SHA195adbd2fcf96e714925d6d1033777f318c36cc86
SHA2568a7df45e942d65a653f36662528974c36791687d4f3fcfc976378eb424b38432
SHA512447dcb4ff4cbe06db57bfcc0c61da1ebf5501805f0664f35ca42e9c28f658ae840adf3a264f276a349b39caa23b845b09b1a5bf3a1345ca6ecae473fc9b74304
-
Filesize
128KB
MD59580891fcc3bfa5b08769c8104a6cad4
SHA185ebe3ca77d4a358a3c4180c2c41ddd28b6e2c5c
SHA256846d7bd19388691c2b3e520d0eb58890963327af5e28fa40cda333376fb1a177
SHA512af4c4cd28d8b845dcba8ce91a9632a0b1ab203092e2ff2f66091b10c553164651805f362343071c8d000ff6992d2f85609aa94ae3159b134a6f31f9d926d8ff6
-
Filesize
11KB
MD5b6044f65a414faae440f08df3e0d5e0e
SHA15e81f3df21e1a71b6b2f8a92ac5b5d8944325d40
SHA25653ce41885b9d87a9f8ebd67f00dceeadf289f3eeaf4e48b7c95f8f63fa7c9393
SHA51245e87e59279e6918c016f5bc5086a67ec17b9647c5fcfa6fbd47dfb213f78261aa40c80a0316979db5e74012a9de1f9b0a221a6209b27a33ebb6ff068d371c27
-
Filesize
11KB
MD58a83a64796f007abba309dedb7e2e0a5
SHA183452d93d7120f82d6b0a7b8b225ba6d1e736ed2
SHA2568143db1d3a9d172bce528a3e4bdc10651835b37665c298fc815f5b517084de82
SHA512d0d2008242da1eecc45fec5673c8dbf8a189060f015968bc69d730fba8bc1a937d3e356dedf46b8bd0e6902d88ffe0d3232804f2b2bf297f86a26a509f3b3148
-
Filesize
1.1MB
MD50d228a6cabd299c4f6533828fd914805
SHA1a03e2f516fc56cca838945578db2fdf64e60bd77
SHA2560465689cab6a4a72f244b357a19eed7579023808c1a26117bba2a466faace9a4
SHA5123dc3a4675a0508664558ce539016850f40b387f4c508e391c6cb644a116dd57aeae0c6919b4658ad86bc635e9cec427f697a1968d35df1b18c0b3d820691a742
-
Filesize
6.2MB
MD50dcd66788acb85eb8d9adff84ee3b64f
SHA1c922bea1c531502394aa0d83390a9075d828bd2a
SHA256c745248c15aafad5c5e0ae34c610cec51202f7f1ed3ff2c003642332a00d71b8
SHA512c60282e48201a27c217e9dbd8852fb7020f5e608ddfbb667619e0b261109f4995e736c5f33e681ea99fd6fc2babbe57f0d6e360b9eb86e8991caf9da846db91b
-
Filesize
512KB
MD5df1fc6d475dca6451632c1d9e71633a9
SHA1f1528dd95236aff67f969ed6d817510853881aae
SHA256f996c951ff3e8dfc6a11e375dd830dca3effb41c2516a2e5eceb4fded2295b5c
SHA512cdfd985f6fe897f56a62d803ee1285a334745f023230efe1f259dfb7b8ed5e862a38f92e9bbfaa0d1fadf8847205c88ecbc153e61304d8f8443239739bdea17f
-
Filesize
1.3MB
MD5bf5d5d6ad25e407fce70bed9c4e75671
SHA1d64b684e14548eb1bb32c3db01c079d6a88b5c83
SHA2569fbfcab17bccd020efa110cce5b98e94a6119fcd706967bda7031a688955fb87
SHA512ebfc05fad2fdc00aa2c45a24ad3f3228229f2f89c7115c9d69239428351e1ab8e1ab8b4b78f43be5f82ea2722413c0f25230cebbe1c9fb7b8027df8824868dce
-
Filesize
384KB
MD5cf45f5d2222389a15b189651640397ab
SHA1863b0134848cbaef4ff8c70c9693294b04eb9357
SHA2569079c24e1b428392e89f578945730b3eb79b971a44446b115077a2cfcb597572
SHA5129618519f59f716ebd61b8ce34a70a7291efe5e38001c56e8b84c3252c384bdef24570bd9de2185a0d2a6b04ee62192a2e18ffd247d66d19e1c071cef7d22cfbc
-
Filesize
256KB
MD5518a824e1f2aabc60ac2fda43159531c
SHA1dd583e9531b19baa45b5cb06a2dc2ad370f10718
SHA256ee813c4e78c7bb4cdb89690bb706859bf00f4824982332401686d7194dab1307
SHA512c8fd116d93fa5fa9cda9b2c0b8e03aa7eb5ed0191ad42fe3a0283f4e9333aa9ad6daaa2c7ad59d2d8ae271852fe9bcdfa0ba46019906221c7680199d4810dcbe
-
Filesize
125KB
MD5597de376b1f80c06d501415dd973dcec
SHA1629c9649ced38fd815124221b80c9d9c59a85e74
SHA256f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
SHA512072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b
-
Filesize
674KB
MD5b2233d1efb0b7a897ea477a66cd08227
SHA1835a198a11c9d106fc6aabe26b9b3e59f6ec68fd
SHA2565fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da
SHA5126ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37
-
Filesize
54.6MB
MD5b379eaccd89c8118eab812bc72d3bfcd
SHA1df70f0a78633b53ff3734d45b3d72a2bb738a528
SHA256a199ab11ce975cf401cdb31f4f7ba5c1f3e8fce6f2a42666dc3982cbb07e8796
SHA5124f1f0e23aef33e49708cacd11757f4edadbcfba69a98760f1ba8668a5cbb19cc22ebbfb92327dfa0dbac1b9dab7bb03a5714d944f3ae625820e66b2f880b5d16
-
Filesize
1.8MB
MD52a7758cc2454c597ce541c5e2c0c8251
SHA1fbe610cbf5381a36c3dd452dc05524fb54b5ce73
SHA2563e8cf7e753c1489b7b53406dfd539a53d8facffce3b609552650d8d2220cd854
SHA51295a3d0498becee5be9f72316e6f7996a168f1fb27f2cda96cd62dc506ade070fdb57419e9944f6de10c07ad388f9741c62e845fb6bfe3f478caf27a6344e8d05
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
C:\odt\office2016setup.exe.id-4187608E.[[email protected]].ncov
Filesize2.4MB
MD56b57e79627736ab1973dda4e72ddf127
SHA123549b9c45053f1453c5cad9af32bec11f0a63fa
SHA25612ff86966d12372f647a7af6bc0509a67c3170a36b086c3f7c1f786fdf959604
SHA5121aed7b19d5d68da62ad1f407862926d50437693e100c9ae1eacb2047b92705f0d5329d9c2dac88a7e4ddecccdd197cbed8ad8d2b7ee6a3a18a65633db646a689